secure-coding-rules 2.0.0 → 2.0.1

package/README.md

@@ -1,12 +1,12 @@
 # secure-coding-rules
 
 [![npm version](https://img.shields.io/npm/v/secure-coding-rules.svg)](https://www.npmjs.com/package/secure-coding-rules)
-[![license](https://img.shields.io/npm/l/secure-coding-rules.svg)](https://github.com/user/secure-coding-rules/blob/main/LICENSE)
+[![license](https://img.shields.io/npm/l/secure-coding-rules.svg)](https://github.com/kwakseongjae/js-secure-coding-prompt-templates/blob/main/LICENSE)
 [![node](https://img.shields.io/node/v/secure-coding-rules.svg)](https://nodejs.org)
 
-**OWASP Top 10 2025** 기반 JavaScript/TypeScript 보안 코딩 룰을 AI 코딩 어시스턴트에 자동 적용하는 CLI 도구입니다.
+Apply **OWASP Top 10 2025** JavaScript/TypeScript security rules to your AI coding assistant with one command.
 
-`npx secure-coding-rules` 한 줄이면 프로젝트의 CLAUDE.md, .cursor/rules, .windsurf/rules, copilot-instructions.md, AGENTS.md에 보안 룰이 적용됩니다.
+Auto-generates security guidelines for CLAUDE.md, .cursor/rules, .windsurf/rules, copilot-instructions.md, and AGENTS.md.
 
 ---
 
@@ -16,107 +16,107 @@
 npx secure-coding-rules
 ```
 
-인터랙티브 프롬프트:
-1. AI 도구 선택 (Claude Code / Cursor / Windsurf / Copilot / AGENTS.md)
-2. 프레임워크 선택 (React / Vue / Node.js / Vanilla) - **자동 감지됨**
-3. 보안 카테고리 선택 (전체 또는 개별)
+Interactive prompts:
+1. Select AI tool (Claude Code / Cursor / Windsurf / Copilot / AGENTS.md)
+2. Select framework (React / Vue / Node.js / Vanilla) - **auto-detected**
+3. Select security categories (all or individual)
 
 ### Auto Mode
 
-프로젝트를 분석하여 자동으로 최적의 설정을 적용합니다:
+Analyzes your project and applies optimal settings automatically:
 
 ```bash
 npx secure-coding-rules --yes
 ```
 
-- 기존 AI 도구 설정 파일이 있으면 자동 감지 후 업데이트
-- package.json에서 프레임워크 자동 감지 (React, Vue, Node.js 등)
-- CI/CD 등 non-interactive 환경에서도 동작
+- Auto-detects existing AI tool config files and updates them
+- Auto-detects framework from package.json (React, Vue, Node.js, etc.)
+- Works in CI/CD and other non-interactive environments
 
 ### Status Check
 
-현재 프로젝트의 보안 룰 상태만 확인:
+Check current project security rule status:
 
 ```bash
 npx secure-coding-rules --check
 ```
 
-## 지원 AI 도구
+## Supported AI Tools
 
-| AI Tool | Output | 기존 파일 |
-|---------|--------|----------|
-| **Claude Code** | `CLAUDE.md` | 자동 병합 |
-| **Cursor** | `.cursor/rules/*.mdc` | 개별 파일 생성 |
-| **Windsurf** | `.windsurf/rules/*.md` | 개별 파일 생성 |
-| **GitHub Copilot** | `.github/copilot-instructions.md` | 자동 병합 |
-| **AGENTS.md** | `AGENTS.md` | 자동 병합 |
+| AI Tool | Output | Existing files |
+|---------|--------|----------------|
+| **Claude Code** | `CLAUDE.md` | Auto-merge |
+| **Cursor** | `.cursor/rules/*.mdc` | Per-category files |
+| **Windsurf** | `.windsurf/rules/*.md` | Per-category files |
+| **GitHub Copilot** | `.github/copilot-instructions.md` | Auto-merge |
+| **AGENTS.md** | `AGENTS.md` | Auto-merge |
 
-## 보안 카테고리 (OWASP Top 10 2025)
+## Security Categories (OWASP Top 10 2025)
 
 | Code | Category | Description |
 |------|----------|-------------|
-| A01 | Broken Access Control | RBAC/ABAC, IDOR 방지, 서버사이드 인가 |
-| A02 | Security Misconfiguration | 보안 헤더, CORS, 환경변수 관리 |
-| A03 | Supply Chain Failures | npm audit, lockfile 무결성, SRI **(2025 신규)** |
-| A04 | Cryptographic Failures | 안전한 해싱, 암호화, 키 관리 |
+| A01 | Broken Access Control | RBAC/ABAC, IDOR prevention, server-side authz |
+| A02 | Security Misconfiguration | Security headers, CORS, env vars |
+| A03 | Supply Chain Failures | npm audit, lockfile integrity, SRI **(New in 2025)** |
+| A04 | Cryptographic Failures | Secure hashing, encryption, key management |
 | A05 | Injection | XSS, SQLi, NoSQLi, Command Injection |
-| A06 | Insecure Design | Threat modeling, 최소 권한 원칙 |
-| A07 | Authentication Failures | MFA, 세션 관리, 패스워드 정책 |
-| A08 | Data Integrity Failures | SRI, 안전한 역직렬화, CI/CD 보안 |
-| A09 | Logging & Alerting | 보안 로깅, 민감정보 마스킹, 알림 |
-| A10 | Error Handling | Fail-safe 기본값, 에러 정보 노출 방지 **(2025 신규)** |
+| A06 | Insecure Design | Threat modeling, least privilege |
+| A07 | Authentication Failures | MFA, session management, password policy |
+| A08 | Data Integrity Failures | SRI, safe deserialization, CI/CD security |
+| A09 | Logging & Alerting | Security logging, sensitive data masking |
+| A10 | Error Handling | Fail-safe defaults, error info leakage **(New in 2025)** |
 
 ### Frontend Modules
 
 | Code | Category | Description |
 |------|----------|-------------|
-| FE-01 | XSS Prevention | DOM 조작 보안, sanitization |
-| FE-02 | CSRF Protection | 토큰 기반 방어, SameSite 쿠키 |
-| FE-03 | Content Security Policy | CSP 헤더, nonce, 리포팅 |
-| FE-04 | Secure State | 안전한 상태관리, 메모리 내 토큰 |
+| FE-01 | XSS Prevention | Safe DOM manipulation, sanitization |
+| FE-02 | CSRF Protection | Token-based defense, SameSite cookies |
+| FE-03 | Content Security Policy | CSP headers, nonce, reporting |
+| FE-04 | Secure State | Safe state management, in-memory tokens |
 
-## 동작 방식
+## How It Works
 
-### 룰 형식
+### Rule Format
 
-모든 보안 룰은 AI가 이해하기 쉬운 일관된 구조를 따릅니다:
+All security rules follow a consistent, AI-friendly structure:
 
 ```markdown
 ### 1. Rule Title
-- **DO**: 구체적으로 해야 할 것
-- **DON'T**: 하지 말아야 할 것
-- **WHY**: 왜 중요한지
+- **DO**: What to do (specific instruction)
+- **DON'T**: What to avoid
+- **WHY**: Why it matters
 
 ## Code Examples
 ### Bad Practice / Good Practice
 
 ## Quick Checklist
-- [ ] 체크리스트 항목
+- [ ] Checklist items
 ```
 
-### 기존 파일 병합
+### File Merging
 
-이미 CLAUDE.md 등이 있으면 기존 내용을 보존하고 보안 섹션만 추가/업데이트합니다:
+If CLAUDE.md or other config files already exist, existing content is preserved and only the security section is added/updated:
 
 ```html
 <!-- js-secure-coding:start -->
-(이 영역만 업데이트됨)
+(only this region is updated)
 <!-- js-secure-coding:end -->
 ```
 
-다시 실행하면 해당 영역만 최신 버전으로 교체됩니다.
+Re-running replaces only the marked region with the latest version.
 
-### 프로젝트 자동 감지
+### Auto-Detection
 
-`secure-coding-rules`는 실행 시 현재 프로젝트를 분석합니다:
+`secure-coding-rules` analyzes your project at runtime:
 
-- **AI 도구 감지**: CLAUDE.md, .cursor/, .windsurf/, .github/ 존재 여부 확인
-- **프레임워크 감지**: package.json의 dependencies에서 React/Vue/Express 등 파악
-- **상태 표시**: 인터랙티브 모드에서 감지 결과를 보여주고, 관련 항목을 우선 추천
+- **AI tools**: Checks for CLAUDE.md, .cursor/, .windsurf/, .github/
+- **Framework**: Reads package.json dependencies (React, Vue, Express, etc.)
+- **Smart prompts**: Detected items are highlighted and prioritized in interactive mode
 
-## 수동 사용
+## Manual Usage
 
-CLI 없이 `src/templates/` 마크다운 파일을 직접 복사하여 사용 가능합니다:
+You can also copy markdown files from `src/templates/` directly without the CLI:
 
 ```
 src/templates/
@@ -141,18 +141,29 @@ src/templates/
 ## CLI Options
 
 ```
-npx secure-coding-rules              인터랙티브 모드 (자동 감지)
-npx secure-coding-rules --yes        스마트 기본값으로 자동 적용
-npx secure-coding-rules --check      프로젝트 보안 상태 확인
-npx secure-coding-rules --help       도움말
-npx secure-coding-rules --version    버전
+npx secure-coding-rules              Interactive mode (auto-detect)
+npx secure-coding-rules --yes        Smart defaults
+npx secure-coding-rules --check      Project security status
+npx secure-coding-rules --dry-run    Preview (no file writes)
+npx secure-coding-rules --lang ko    Run in Korean (한국어)
+npx secure-coding-rules --help       Help
+npx secure-coding-rules --version    Version
+```
+
+### Language / 다국어
+
+Auto-detects system locale (`LANG` env). Override with `--lang`:
+
+```bash
+npx secure-coding-rules --lang en    # English (default)
+npx secure-coding-rules --lang ko    # 한국어
 ```
 
 ## Legacy Templates
 
-v1.0 원본 템플릿은 `legacy/` 디렉토리에 보존되어 있습니다.
+Original v1.0 prompt templates are preserved in the `legacy/` directory.
 
-## 참고 자료
+## References
 
 - [OWASP Top 10 2025](https://owasp.org/Top10/2025/)
 - [Node.js Security Best Practices](https://nodejs.org/en/learn/getting-started/security-best-practices)
@@ -161,7 +172,7 @@ v1.0 원본 템플릿은 `legacy/` 디렉토리에 보존되어 있습니다.
 
 ## Contributing
 
-PR을 환영합니다! 새로운 보안 룰, AI 도구 어댑터, 기존 내용 개선 등.
+PRs welcome! New security rules, AI tool adapters, or improvements to existing content.
 
 ## License
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "secure-coding-rules",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "OWASP 2025 security rules for AI coding assistants. Auto-apply to CLAUDE.md, Cursor, Windsurf, Copilot, AGENTS.md with one command.",
   "main": "src/index.js",
   "exports": {
@@ -44,16 +44,16 @@
   ],
   "author": {
     "name": "Gwak Seong-jae",
-    "url": "https://github.com/user"
+    "url": "https://github.com/kwakseongjae"
   },
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/user/secure-coding-rules.git"
+    "url": "git+https://github.com/kwakseongjae/js-secure-coding-prompt-templates.git"
   },
-  "homepage": "https://github.com/user/secure-coding-rules#readme",
+  "homepage": "https://github.com/kwakseongjae/js-secure-coding-prompt-templates#readme",
   "bugs": {
-    "url": "https://github.com/user/secure-coding-rules/issues"
+    "url": "https://github.com/kwakseongjae/js-secure-coding-prompt-templates/issues"
   },
   "engines": {
     "node": ">=18.0.0"

package/src/__tests__/adapters.test.js

@@ -0,0 +1,201 @@
+import { describe, it } from 'node:test';
+import assert from 'node:assert/strict';
+import * as claude from '../adapters/claude.js';
+import * as copilot from '../adapters/copilot.js';
+import * as agents from '../adapters/agents.js';
+import * as cursor from '../adapters/cursor.js';
+import * as windsurf from '../adapters/windsurf.js';
+
+const MOCK_TEMPLATE = `# Test Security Rules
+
+> OWASP Top 10 2025 - A01: Test
+
+## Rules
+
+### 1. Test Rule One
+- **DO**: Do the right thing.
+- **DON'T**: Do the wrong thing.
+- **WHY**: Because security matters.
+
+### 2. Test Rule Two
+- **DO**: Validate input.
+- **DON'T**: Trust user data.
+- **WHY**: Injection attacks are common.
+
+## Code Examples
+
+### Bad Practice
+\`\`\`javascript
+eval(userInput);
+\`\`\`
+
+### Good Practice
+\`\`\`javascript
+sanitize(userInput);
+\`\`\`
+
+## Quick Checklist
+- [ ] Input validated
+- [ ] Output encoded
+`;
+
+function mockTemplates() {
+  return new Map([['access-control', MOCK_TEMPLATE]]);
+}
+
+describe('claude adapter', () => {
+  it('formats templates with markers', () => {
+    const output = claude.format(mockTemplates());
+    assert.ok(output.includes('<!-- js-secure-coding:start -->'));
+    assert.ok(output.includes('<!-- js-secure-coding:end -->'));
+    assert.ok(output.includes('A01: Broken Access Control'));
+  });
+
+  it('extracts Rules and Checklist, not Code Examples', () => {
+    const output = claude.format(mockTemplates());
+    assert.ok(output.includes('Test Rule One'));
+    assert.ok(output.includes('Input validated'));
+    assert.ok(!output.includes('eval(userInput)'));
+  });
+
+  it('merges into existing content', () => {
+    const existing = '# My Project\n\nSome content here.';
+    const section = claude.format(mockTemplates());
+    const merged = claude.merge(existing, section);
+    assert.ok(merged.startsWith('# My Project'));
+    assert.ok(merged.includes('<!-- js-secure-coding:start -->'));
+  });
+
+  it('replaces existing section on re-merge', () => {
+    const first = claude.format(mockTemplates());
+    const existing = `# Project\n\n${first}\n\n# Other stuff`;
+    const newSection = claude.format(mockTemplates(), { framework: 'react' });
+    const merged = claude.merge(existing, newSection);
+
+    const starts = merged.match(/<!-- js-secure-coding:start -->/g);
+    assert.equal(starts.length, 1, 'Should have exactly one start marker');
+    assert.ok(merged.includes('Framework: react'));
+    assert.ok(merged.includes('# Other stuff'));
+  });
+
+  it('handles empty file append without leading whitespace', () => {
+    const merged = claude.merge('', claude.format(mockTemplates()));
+    assert.ok(!merged.startsWith('\n'));
+  });
+});
+
+describe('copilot adapter', () => {
+  it('formats with correct markers', () => {
+    const output = copilot.format(mockTemplates());
+    assert.ok(output.includes('<!-- js-secure-coding:start -->'));
+    assert.ok(output.includes('Security Coding Guidelines'));
+  });
+
+  it('extracts DO, DONT, and WHY rules', () => {
+    const output = copilot.format(mockTemplates());
+    assert.ok(output.includes('**DO**'));
+    assert.ok(output.includes("**DON'T**"));
+    assert.ok(output.includes('**WHY**'));
+  });
+
+  it('handles empty file merge', () => {
+    const merged = copilot.merge('', copilot.format(mockTemplates()));
+    assert.ok(!merged.startsWith('\n'));
+  });
+});
+
+describe('agents adapter', () => {
+  it('formats with markers and title', () => {
+    const output = agents.format(mockTemplates());
+    assert.ok(output.includes('# Security Guidelines'));
+    assert.ok(output.includes('<!-- js-secure-coding:start -->'));
+  });
+
+  it('strips original title from template', () => {
+    const output = agents.format(mockTemplates());
+    assert.ok(!output.includes('# Test Security Rules'));
+  });
+
+  it('handles empty file merge', () => {
+    const merged = agents.merge('', agents.format(mockTemplates()));
+    assert.ok(!merged.startsWith('\n'));
+  });
+});
+
+describe('claude adapter - directory mode', () => {
+  it('generates individual rule files via formatMultiple', () => {
+    const files = claude.formatMultiple(mockTemplates());
+    assert.equal(files.size, 1);
+    assert.ok(files.has('security-access-control.md'));
+  });
+
+  it('has rulesDir defined', () => {
+    assert.equal(claude.rulesDir, '.claude/rules');
+  });
+
+  it('generates reference text via formatReference', () => {
+    const ref = claude.formatReference(['access-control', 'injection']);
+    assert.ok(ref.includes('<!-- js-secure-coding:start -->'));
+    assert.ok(ref.includes('.claude/rules/'));
+    assert.ok(ref.includes('security-access-control.md'));
+    assert.ok(ref.includes('security-injection.md'));
+    assert.ok(ref.includes('A01'));
+    assert.ok(ref.includes('A05'));
+  });
+
+  it('reference can be merged into existing CLAUDE.md', () => {
+    const existing = '# My Project\n\nSome content.';
+    const ref = claude.formatReference(['access-control']);
+    const merged = claude.merge(existing, ref);
+    assert.ok(merged.startsWith('# My Project'));
+    assert.ok(merged.includes('.claude/rules/'));
+  });
+});
+
+describe('copilot adapter - directory mode', () => {
+  it('generates individual rule files via formatMultiple', () => {
+    const files = copilot.formatMultiple(mockTemplates());
+    assert.equal(files.size, 1);
+    assert.ok(files.has('security-access-control.md'));
+  });
+
+  it('has rulesDir defined', () => {
+    assert.equal(copilot.rulesDir, '.github/instructions');
+  });
+
+  it('generates reference text via formatReference', () => {
+    const ref = copilot.formatReference(['access-control']);
+    assert.ok(ref.includes('.github/instructions/'));
+    assert.ok(ref.includes('security-access-control.md'));
+  });
+});
+
+describe('cursor adapter', () => {
+  it('generates multiple .mdc files', () => {
+    const files = cursor.formatMultiple(mockTemplates());
+    assert.equal(files.size, 1);
+    assert.ok(files.has('security-access-control.mdc'));
+  });
+
+  it('includes frontmatter with description', () => {
+    const files = cursor.formatMultiple(mockTemplates());
+    const content = files.get('security-access-control.mdc');
+    assert.ok(content.startsWith('---'));
+    assert.ok(content.includes('description:'));
+  });
+});
+
+describe('windsurf adapter', () => {
+  it('generates multiple .md files', () => {
+    const files = windsurf.formatMultiple(mockTemplates());
+    assert.equal(files.size, 1);
+    assert.ok(files.has('security-access-control.md'));
+  });
+
+  it('strips original title and adds own', () => {
+    const files = windsurf.formatMultiple(mockTemplates());
+    const content = files.get('security-access-control.md');
+    assert.ok(content.startsWith('# A01: Broken Access Control'));
+    assert.ok(!content.includes('# Test Security Rules'));
+  });
+});

package/src/__tests__/loader.test.js

@@ -0,0 +1,68 @@
+import { describe, it } from 'node:test';
+import assert from 'node:assert/strict';
+import { loadTemplate, loadTemplates, getCategoryInfo } from '../loader.js';
+
+describe('loader', () => {
+  describe('loadTemplate', () => {
+    it('loads a core template', async () => {
+      const content = await loadTemplate('access-control');
+      assert.ok(content);
+      assert.ok(content.includes('## Rules'));
+      assert.ok(content.includes('## Quick Checklist'));
+    });
+
+    it('loads a frontend template', async () => {
+      const content = await loadTemplate('xss-prevention');
+      assert.ok(content);
+      assert.ok(content.includes('## Rules'));
+    });
+
+    it('returns null for unknown category', async () => {
+      const content = await loadTemplate('nonexistent-category');
+      assert.equal(content, null);
+    });
+  });
+
+  describe('loadTemplates', () => {
+    it('loads multiple templates', async () => {
+      const templates = await loadTemplates(['access-control', 'injection']);
+      assert.equal(templates.size, 2);
+      assert.ok(templates.has('access-control'));
+      assert.ok(templates.has('injection'));
+    });
+
+    it('loads all 14 templates', async () => {
+      const all = [
+        'access-control', 'security-config', 'supply-chain', 'cryptographic',
+        'injection', 'secure-design', 'authentication', 'data-integrity',
+        'logging-alerting', 'error-handling', 'xss-prevention',
+        'csrf-protection', 'csp', 'secure-state',
+      ];
+      const templates = await loadTemplates(all);
+      assert.equal(templates.size, 14);
+    });
+
+    it('skips unknown categories gracefully', async () => {
+      const templates = await loadTemplates(['access-control', 'fake']);
+      assert.equal(templates.size, 1);
+    });
+  });
+
+  describe('getCategoryInfo', () => {
+    it('returns correct OWASP code for core categories', () => {
+      assert.equal(getCategoryInfo('access-control').owasp, 'A01');
+      assert.equal(getCategoryInfo('injection').owasp, 'A05');
+      assert.equal(getCategoryInfo('error-handling').owasp, 'A10');
+    });
+
+    it('returns correct info for frontend categories', () => {
+      assert.equal(getCategoryInfo('xss-prevention').group, 'frontend');
+      assert.equal(getCategoryInfo('csp').owasp, 'FE-03');
+    });
+
+    it('returns fallback for unknown category', () => {
+      const info = getCategoryInfo('unknown');
+      assert.equal(info.owasp, '??');
+    });
+  });
+});

package/src/adapters/agents.js

@@ -13,11 +13,11 @@ const SECTION_START = '<!-- js-secure-coding:start -->';
 const SECTION_END = '<!-- js-secure-coding:end -->';
 
 export function format(templates, options = {}) {
-  const { framework = 'vanilla' } = options;
+  const { framework = 'vanilla', version = '2.0.0' } = options;
   const lines = [];
 
   lines.push(SECTION_START);
-  lines.push('<!-- version: 2.0.0 -->');
+  lines.push(`<!-- version: ${version} -->`);
   lines.push('');
   lines.push('# Security Guidelines');
   lines.push('');

package/src/adapters/claude.js

@@ -6,6 +6,7 @@ import { getCategoryInfo } from '../loader.js';
 
 export const name = 'Claude Code';
 export const outputPath = 'CLAUDE.md';
+export const rulesDir = '.claude/rules';
 export const description = 'Generates CLAUDE.md for Claude Code';
 
 /**
@@ -15,15 +16,15 @@ const SECTION_START = '<!-- js-secure-coding:start -->';
 const SECTION_END = '<!-- js-secure-coding:end -->';
 
 export function format(templates, options = {}) {
-  const { framework = 'vanilla' } = options;
+  const { framework = 'vanilla', version = '2.0.0' } = options;
   const lines = [];
 
   lines.push(SECTION_START);
-  lines.push('<!-- version: 2.0.0 -->');
+  lines.push(`<!-- version: ${version} -->`);
   lines.push('');
   lines.push('# Security Rules (OWASP 2025)');
   lines.push('');
-  lines.push(`> Auto-generated by js-secure-coding v2.0 | Framework: ${framework}`);
+  lines.push(`> Auto-generated by secure-coding-rules v${version} | Framework: ${framework}`);
   lines.push('> Reference: https://owasp.org/Top10/2025/');
   lines.push('');
 
@@ -61,6 +62,44 @@ export function merge(existingContent, newSection) {
   return (trimmed ? trimmed + '\n\n' : '') + newSection + '\n';
 }
 
+/**
+ * Format templates into individual files for directory mode
+ * Returns Map<filename, content>
+ */
+export function formatMultiple(templates, options = {}) {
+  const files = new Map();
+  for (const [category, content] of templates) {
+    files.set(`security-${category}.md`, content);
+  }
+  return files;
+}
+
+/**
+ * Generate reference text for CLAUDE.md pointing to rules directory
+ */
+export function formatReference(categories, options = {}) {
+  const { version = '2.0.0' } = options;
+  const lines = [
+    SECTION_START,
+    `<!-- version: ${version} -->`,
+    '',
+    '# Security Rules (OWASP 2025)',
+    '',
+    `> Auto-generated by secure-coding-rules v${version}`,
+    '> Full rules are in .claude/rules/security-*.md',
+    '',
+    'Security rules are loaded from `.claude/rules/` directory:',
+    '',
+  ];
+  for (const cat of categories) {
+    const info = getCategoryInfo(cat);
+    lines.push(`- \`security-${cat}.md\` - ${info.owasp}: ${info.title}`);
+  }
+  lines.push('');
+  lines.push(SECTION_END);
+  return lines.join('\n');
+}
+
 function extractEssentials(content) {
   const lines = content.split('\n');
   const result = [];