secure-coding-rules 2.0.0 → 2.0.1

package/src/prompts.js

@@ -6,6 +6,7 @@
 import { createInterface } from 'node:readline';
 import { existsSync, readFileSync } from 'node:fs';
 import { join } from 'node:path';
+import { t } from './i18n.js';
 
 // ─── Readline helpers ────────────────────────────────────────────
 
@@ -24,7 +25,7 @@ function ask(question) {
 
 function printOptions(options) {
   options.forEach((opt, i) => {
-    const marker = opt.detected ? ' (detected)' : '';
+    const marker = opt.detected ? ` (${t('detected')})` : '';
     console.log(`  ${i + 1}) ${opt.label}${marker}`);
   });
 }
@@ -32,20 +33,18 @@ function printOptions(options) {
 async function selectOne(question, options) {
   console.log(`\n${question}`);
   printOptions(options);
-  const answer = await ask(`\nSelect (1-${options.length}): `);
+  const answer = await ask(`\n${t('selectPrompt')} (1-${options.length}): `);
   const idx = parseInt(answer, 10) - 1;
   if (idx >= 0 && idx < options.length) return options[idx].value;
-  console.log('Invalid selection, defaulting to first option.');
+  console.log(t('invalidSelection'));
   return options[0].value;
 }
 
 async function selectMultiple(question, options) {
   console.log(`\n${question}`);
   printOptions(options);
-  console.log(`  0) All`);
-  const answer = await ask(
-    `\nSelect (comma-separated, e.g. 1,3,5 or 0 for all): `
-  );
+  console.log(`  0) ${t('selectAll')}`);
+  const answer = await ask(`\n${t('selectPrompt')} (${t('selectAllComma')}): `);
 
   if (answer === '0' || answer.toLowerCase() === 'all') {
     return options.map((o) => o.value);
@@ -57,7 +56,7 @@ async function selectMultiple(question, options) {
     .filter((i) => i >= 0 && i < options.length);
 
   if (indices.length === 0) {
-    console.log('No valid selection, selecting all.');
+    console.log(t('noValidSelection'));
     return options.map((o) => o.value);
   }
 
@@ -101,16 +100,14 @@ export const SECURITY_CATEGORIES = [
   { label: 'Frontend: CSRF Protection', value: 'csrf-protection' },
   { label: 'Frontend: CSP', value: 'csp' },
   { label: 'Frontend: Secure State Management', value: 'secure-state' },
+  { label: 'TypeScript Security', value: 'typescript-security' },
+  { label: 'Framework: React / Next.js', value: 'react-security' },
+  { label: 'Framework: Express / Node.js', value: 'express-security' },
+  { label: 'Framework: Next.js (App Router)', value: 'nextjs-security' },
 ];
 
 // ─── Project state detection ─────────────────────────────────────
 
-/**
- * Detect the current project environment:
- * - Which AI tool configs already exist
- * - What framework is being used (via package.json)
- * - Whether this is a new or existing project
- */
 export function detectProjectState(cwd) {
   const state = {
     hasPackageJson: existsSync(join(cwd, 'package.json')),
@@ -119,7 +116,6 @@ export function detectProjectState(cwd) {
     existingRules: {},
   };
 
-  // Detect existing AI tool configs
   const toolPaths = {
     claude: 'CLAUDE.md',
     cursor: '.cursor/rules',
@@ -136,7 +132,6 @@ export function detectProjectState(cwd) {
     }
   }
 
-  // Detect framework from package.json dependencies
   if (state.hasPackageJson) {
     try {
       const pkg = JSON.parse(
@@ -159,30 +154,27 @@ export function detectProjectState(cwd) {
   return state;
 }
 
-/**
- * Print a summary of the detected project state
- */
 export function printProjectStatus(state) {
-  console.log('\n📋 Project Status:');
+  console.log(`\n📋 ${t('projectStatus')}`);
 
   if (state.detectedTools.length > 0) {
     const toolNames = state.detectedTools
-      .map((t) => AI_TOOLS.find((a) => a.value === t)?.label || t)
+      .map((tool) => AI_TOOLS.find((a) => a.value === tool)?.label || tool)
       .join(', ');
-    console.log(`  AI tools detected: ${toolNames}`);
+    console.log(`  ${t('toolsDetected')} ${toolNames}`);
   } else {
-    console.log('  No AI tool configs found (new setup)');
+    console.log(`  ${t('noToolsFound')}`);
   }
 
   if (state.detectedFramework) {
     const fwName =
       FRAMEWORKS.find((f) => f.value === state.detectedFramework)?.label ||
       state.detectedFramework;
-    console.log(`  Framework detected: ${fwName}`);
+    console.log(`  ${t('frameworkDetected')} ${fwName}`);
   }
 
   if (!state.hasPackageJson) {
-    console.log('  No package.json found (works fine - rules will be created in current directory)');
+    console.log(`  ${t('noPackageJson')}`);
   }
 }
 
@@ -196,28 +188,26 @@ export async function promptUser(args) {
   const cwd = process.cwd();
   const state = detectProjectState(cwd);
 
-  // --check flag: just show status and exit (must be before auto-mode check)
+  // --check flag
   if (args.includes('--check')) {
     printProjectStatus(state);
-    return null; // Signal to index.js to exit early
+    return null;
   }
 
-  // Non-interactive mode: --yes flag or non-TTY environment
+  // Non-interactive mode
   if (args.includes('--yes') || args.includes('-y') || !isInteractive()) {
     if (!isInteractive() && !args.includes('--yes') && !args.includes('-y')) {
-      console.log('Non-interactive environment detected, using defaults.');
+      console.log(t('nonInteractive'));
     }
 
-    // Smart defaults based on detection
-    const tool =
-      state.detectedTools.length === 1
-        ? state.detectedTools[0]
-        : state.detectedTools.includes('claude')
-          ? 'claude'
-          : 'claude';
+    const tools =
+      state.detectedTools.length > 0
+        ? state.detectedTools
+        : ['claude'];
 
     return {
-      tool,
+      tools,
+      outputMode: 'inline',
       framework: state.detectedFramework || 'vanilla',
       categories: SECURITY_CATEGORIES.map((c) => c.value),
       includeFrontend: (state.detectedFramework || 'vanilla') !== 'node',
@@ -225,29 +215,34 @@ export async function promptUser(args) {
   }
 
   // Interactive mode
-  console.log('\n🔒 Secure Coding Rules - OWASP 2025 Security Rules Generator\n');
+  console.log(`\n🔒 ${t('title')}\n`);
   console.log('─'.repeat(55));
   printProjectStatus(state);
 
-  // AI tool selection - highlight detected ones
-  const toolOptions = AI_TOOLS.map((t) => ({
-    ...t,
-    detected: state.detectedTools.includes(t.value),
+  // AI tool selection (multiple)
+  const toolOptions = AI_TOOLS.map((tool) => ({
+    ...tool,
+    detected: state.detectedTools.includes(tool.value),
   }));
 
-  // If only one tool detected, suggest it first
-  if (state.detectedTools.length === 1) {
-    const detected = state.detectedTools[0];
-    const idx = toolOptions.findIndex((t) => t.value === detected);
-    if (idx > 0) {
-      const [item] = toolOptions.splice(idx, 1);
-      toolOptions.unshift(item);
-    }
-  }
+  const tools = await selectMultiple(t('selectTools'), toolOptions);
 
-  const tool = await selectOne('Which AI coding tool do you use?', toolOptions);
+  // Output mode selection
+  // Only relevant for tools that support both modes (claude, copilot, agents)
+  const supportsDirectory = tools.some((t) =>
+    ['claude', 'copilot'].includes(t)
+  );
 
-  // Framework selection - auto-suggest detected
+  let outputMode = 'inline';
+  if (supportsDirectory) {
+    const modeOptions = [
+      { label: `${t('outputInline')}`, value: 'inline' },
+      { label: `${t('outputDirectory')}`, value: 'directory' },
+    ];
+    outputMode = await selectOne(t('selectOutputMode'), modeOptions);
+  }
+
+  // Framework selection
   const frameworkOptions = FRAMEWORKS.map((f) => ({
     ...f,
     detected: f.value === state.detectedFramework,
@@ -262,46 +257,53 @@ export async function promptUser(args) {
     }
   }
 
-  const framework = await selectOne(
-    'What is your primary framework?',
-    frameworkOptions
-  );
-
-  // Update or fresh install message
-  if (state.existingRules[tool]) {
-    console.log(`\n  ℹ Existing rules found - will update security section only.`);
-  }
+  const framework = await selectOne(t('selectFramework'), frameworkOptions);
 
-  const allCategories = await confirm(
-    'Include all OWASP 2025 security categories?'
-  );
+  const allCategories = await confirm(t('includeAll'));
 
   let categories;
   if (allCategories) {
     categories = SECURITY_CATEGORIES.map((c) => c.value);
   } else {
-    categories = await selectMultiple(
-      'Select security categories:',
-      SECURITY_CATEGORIES
-    );
+    categories = await selectMultiple(t('selectCategories'), SECURITY_CATEGORIES);
   }
 
   const includeFrontend =
     framework !== 'node'
-      ? await confirm('Include frontend-specific security rules?')
+      ? await confirm(t('includeFrontend'))
       : false;
 
   if (includeFrontend) {
-    const frontendCats = [
-      'xss-prevention',
-      'csrf-protection',
-      'csp',
-      'secure-state',
-    ];
+    const frontendCats = ['xss-prevention', 'csrf-protection', 'csp', 'secure-state'];
     frontendCats.forEach((c) => {
       if (!categories.includes(c)) categories.push(c);
     });
   }
 
-  return { tool, framework, categories, includeFrontend };
+  // Auto-include framework-specific and TypeScript rules
+  autoIncludeExtras(categories, framework);
+
+  return { tools, outputMode, framework, categories, includeFrontend };
+}
+
+/**
+ * Auto-include TypeScript and framework-specific rules based on selection
+ */
+function autoIncludeExtras(categories, framework) {
+  // Always include TypeScript rules (most JS projects use TS now)
+  if (!categories.includes('typescript-security')) {
+    categories.push('typescript-security');
+  }
+
+  const frameworkMap = {
+    react: ['react-security', 'nextjs-security'],
+    vue: [],
+    node: ['express-security'],
+    vanilla: [],
+  };
+
+  const extras = frameworkMap[framework] || [];
+  extras.forEach((c) => {
+    if (!categories.includes(c)) categories.push(c);
+  });
 }

package/src/templates/frameworks/express-security.md

@@ -0,0 +1,130 @@
+# Express/Node.js Security Rules
+
+> Security rules for Express.js and Node.js server applications, covering middleware hardening, input validation, and secure error handling.
+
+## Rules
+
+### 1. Use Helmet Middleware for HTTP Security Headers
+- **DO**: Install and apply `helmet()` as early as possible in the middleware chain. Fine-tune individual headers (CSP, HSTS, X-Frame-Options) based on your application's needs.
+- **DON'T**: Serve responses without security headers. Never rely on the browser's default behavior to protect against clickjacking, MIME sniffing, or missing HSTS.
+- **WHY**: Helmet sets critical HTTP response headers that mitigate entire classes of attacks (XSS, clickjacking, MIME confusion) with minimal configuration effort.
+
+### 2. Configure CORS Explicitly — Never Use Wildcard Origins
+- **DO**: Set specific allowed origins in your CORS configuration. Validate the `Origin` header against a strict allowlist. Restrict `methods` and `allowedHeaders` to only what the client needs.
+- **DON'T**: Use `origin: "*"` or reflect the request `Origin` header back without validation. Never combine `credentials: true` with a wildcard origin.
+- **WHY**: Wildcard CORS allows any website to make cross-origin requests to your API. Combined with credentials, this lets attackers perform authenticated actions on behalf of users via malicious sites.
+
+### 3. Apply Rate Limiting to All Endpoints
+- **DO**: Use `express-rate-limit` (or similar) globally, with stricter limits on authentication, password reset, and payment endpoints. Include `keyGenerator` based on authenticated user ID where possible.
+- **DON'T**: Leave endpoints unprotected from high-volume requests. Never rely solely on IP-based rate limiting behind shared proxies without `trust proxy` configuration.
+- **WHY**: Rate limiting prevents brute-force attacks, credential stuffing, and denial-of-service. Without it, attackers can enumerate users, brute-force passwords, or exhaust server resources.
+
+### 4. Set Body Parser Size Limits
+- **DO**: Configure explicit size limits on `express.json()` and `express.urlencoded()` (e.g., `limit: "100kb"`). Set even stricter limits for file uploads using multer or busboy.
+- **DON'T**: Accept unlimited request body sizes. Never use default parser settings in production without reviewing limits.
+- **WHY**: Oversized payloads can exhaust server memory, cause out-of-memory crashes, or be used in denial-of-service attacks. A 10MB JSON body can block the event loop during parsing.
+
+### 5. Configure `trust proxy` Correctly
+- **DO**: Set `trust proxy` to the exact number of proxies in front of your app (e.g., `app.set("trust proxy", 1)` for one reverse proxy). Validate your setup by logging `req.ip` in staging.
+- **DON'T**: Set `trust proxy` to `true` (trusts all proxies) in production. Never leave it unconfigured when behind a load balancer.
+- **WHY**: Incorrect `trust proxy` settings make `req.ip` unreliable. Attackers can spoof `X-Forwarded-For` headers to bypass IP-based rate limiting and access controls.
+
+### 6. Never Expose Stack Traces or Internal Details in Error Responses
+- **DO**: Use a centralized error handler that returns generic error messages to clients and logs full error details (stack trace, query, context) server-side only.
+- **DON'T**: Send `err.stack`, `err.message`, or database error details in API responses. Never use Express's default error handler in production.
+- **WHY**: Stack traces reveal file paths, library versions, database schemas, and internal logic. Attackers use this information for targeted exploitation.
+
+### 7. Use Parameterized Queries for All Database Operations
+- **DO**: Use parameterized queries, prepared statements, or ORM query builders (Knex, Prisma, Sequelize) for all database operations. Validate and sanitize inputs before they reach the query layer.
+- **DON'T**: Concatenate or template-literal user input into SQL or NoSQL query strings. Never build MongoDB queries with unsanitized `req.body` objects.
+- **WHY**: SQL and NoSQL injection remain top attack vectors. Parameterized queries separate code from data, making injection structurally impossible regardless of input content.
+
+## Code Examples
+
+### Bad Practice
+```javascript
+const express = require("express");
+const app = express();
+
+// No helmet, no security headers
+app.use(express.json()); // No size limit
+
+// Wildcard CORS — any site can call this API
+const cors = require("cors");
+app.use(cors({ origin: "*", credentials: true }));
+
+// Stack trace leaked in error response
+app.use((err, req, res, next) => {
+  res.status(500).json({ error: err.message, stack: err.stack });
+});
+
+// SQL injection via string concatenation
+app.get("/api/users", async (req, res) => {
+  const query = `SELECT * FROM users WHERE name = '${req.query.name}'`;
+  const users = await db.raw(query);
+  res.json(users);
+});
+
+// No rate limiting on login
+app.post("/api/login", async (req, res) => {
+  const user = await authenticate(req.body.email, req.body.password);
+  res.json({ token: generateToken(user) });
+});
+```
+
+### Good Practice
+```javascript
+const express = require("express");
+const helmet = require("helmet");
+const cors = require("cors");
+const rateLimit = require("express-rate-limit");
+
+const app = express();
+
+// Security headers
+app.use(helmet());
+
+// Strict CORS
+app.use(cors({
+  origin: ["https://app.example.com"],
+  methods: ["GET", "POST", "PUT", "DELETE"],
+  credentials: true,
+}));
+
+// Body size limit
+app.use(express.json({ limit: "100kb" }));
+
+// Trust proxy (behind one reverse proxy)
+app.set("trust proxy", 1);
+
+// Global rate limit
+app.use(rateLimit({ windowMs: 15 * 60 * 1000, max: 100 }));
+
+// Strict rate limit on auth
+const authLimiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 5 });
+app.post("/api/login", authLimiter, async (req, res) => {
+  const user = await authenticate(req.body.email, req.body.password);
+  res.json({ token: generateToken(user) });
+});
+
+// Parameterized query (Knex example)
+app.get("/api/users", async (req, res) => {
+  const users = await db("users").where("name", req.query.name);
+  res.json(users);
+});
+
+// Centralized error handler — no stack trace leakage
+app.use((err, req, res, next) => {
+  console.error(err); // Full details server-side only
+  res.status(err.status || 500).json({ error: "Internal server error" });
+});
+```
+
+## Quick Checklist
+- [ ] `helmet()` is applied before all route handlers
+- [ ] CORS `origin` is set to specific allowed domains, not `"*"`
+- [ ] `express-rate-limit` is applied globally and with stricter limits on auth endpoints
+- [ ] `express.json()` and `express.urlencoded()` have explicit `limit` set
+- [ ] `trust proxy` is set to the correct number of proxies, not `true`
+- [ ] Error handler returns generic messages; stack traces are logged server-side only
+- [ ] All database queries use parameterized queries or ORM query builders

package/src/templates/frameworks/nextjs-security.md

@@ -0,0 +1,149 @@
+# Next.js Security Rules
+
+> Security rules for Next.js applications using the App Router, covering Server Actions, middleware authentication, environment variable safety, and secure data fetching patterns.
+
+## Rules
+
+### 1. Validate All Inputs in Server Actions with Schema Validation
+- **DO**: Use Zod or a similar library to validate every input in Server Actions. Treat Server Actions as public API endpoints — validate, sanitize, and authorize before processing.
+- **DON'T**: Trust form data or arguments passed to Server Actions without validation. Never assume the client-side form structure limits what can be submitted.
+- **WHY**: Server Actions are HTTP POST endpoints under the hood. Attackers can call them directly with arbitrary payloads, bypassing all client-side validation and form structure.
+
+### 2. Enforce Authentication and Authorization in `middleware.ts`
+- **DO**: Use `middleware.ts` to protect routes by verifying session tokens or JWTs before the request reaches any page or API route. Define public routes explicitly via matcher config.
+- **DON'T**: Rely on individual page components or layouts to check authentication. Never skip authorization checks assuming middleware already handled them.
+- **WHY**: Middleware runs at the edge before any rendering occurs, providing a centralized and reliable enforcement point. Component-level checks are too late — data may already be fetched and serialized.
+
+### 3. Understand `NEXT_PUBLIC_` Environment Variable Exposure
+- **DO**: Only prefix environment variables with `NEXT_PUBLIC_` when the value is intentionally public. Keep API keys, database URLs, and secrets without the prefix so they remain server-only.
+- **DON'T**: Add `NEXT_PUBLIC_` to secrets or internal service URLs. Never store sensitive values in `NEXT_PUBLIC_` variables "for convenience" in client components.
+- **WHY**: `NEXT_PUBLIC_` variables are inlined into the client-side JavaScript bundle at build time. They are visible to anyone who views your page source — this is by design and cannot be reversed.
+
+### 4. Validate HTTP Methods in API Routes
+- **DO**: Explicitly check and handle each HTTP method in API route handlers. Use Next.js App Router's named exports (`GET`, `POST`, `PUT`, `DELETE`) to restrict allowed methods.
+- **DON'T**: Handle all methods in a single catch-all handler without method validation. Never allow `GET` requests to perform state-changing operations.
+- **WHY**: API routes that accept any method can be exploited via CSRF (GET requests with image tags), method confusion, or unintended side effects from HEAD/OPTIONS requests.
+
+### 5. Never Include Sensitive Data in ISR/SSG Pages
+- **DO**: Fetch only public data during static generation (`generateStaticParams`, page-level data fetching). Load user-specific or sensitive data client-side or in server components that are not cached.
+- **DON'T**: Include tokens, internal IDs, admin data, or PII in statically generated pages. Never pass sensitive data through `searchParams` that end up in cached pages.
+- **WHY**: ISR/SSG pages are cached as static HTML files and served from CDN edges. Sensitive data in these pages is shared across all users and persists until the next revalidation.
+
+### 6. Use `next/headers` and `next/cookies` Securely
+- **DO**: Set cookies with `httpOnly`, `secure`, `sameSite: "strict"`, and appropriate `path` / `maxAge`. Read cookies and headers only in server components or route handlers.
+- **DON'T**: Store sensitive tokens in cookies without `httpOnly` and `secure` flags. Never trust cookie values without server-side validation.
+- **WHY**: Cookies without `httpOnly` are accessible to JavaScript and vulnerable to XSS theft. Without `secure`, cookies transmit over HTTP. Without `sameSite`, cookies are vulnerable to CSRF.
+
+### 7. Protect Server-Only Code with `server-only` Package
+- **DO**: Add `import "server-only"` at the top of files containing database queries, secrets access, or internal business logic. This causes a build error if the file is imported by a client component.
+- **DON'T**: Rely on convention alone to separate server and client code. Never assume that a file without `"use client"` is safe from client bundling.
+- **WHY**: Next.js's bundler may include server-side files in the client bundle if they are transitively imported by a client component. The `server-only` package provides a compile-time guarantee that prevents accidental exposure.
+
+## Code Examples
+
+### Bad Practice
+```typescript
+// Server Action without validation
+"use server";
+async function updateProfile(formData: FormData) {
+  const name = formData.get("name") as string;
+  await db.user.update({ where: { id: userId }, data: { name } }); // No validation
+}
+
+// Secret exposed via NEXT_PUBLIC_
+// .env
+// NEXT_PUBLIC_DB_URL=postgresql://admin:password@db.internal:5432/prod
+// NEXT_PUBLIC_API_SECRET=sk-secret-key-12345
+
+// API route accepting any method
+export async function handler(req: NextRequest) {
+  // GET, POST, DELETE all hit the same code path
+  const data = await req.json();
+  await db.user.delete({ where: { id: data.id } });
+  return Response.json({ success: true });
+}
+
+// Sensitive data in ISR page
+export const revalidate = 3600;
+export default async function AdminPage() {
+  const users = await db.user.findMany({
+    select: { id: true, email: true, ssn: true }, // SSN in static page!
+  });
+  return <UserTable users={users} />;
+}
+```
+
+### Good Practice
+```typescript
+// Server Action with Zod validation and authorization
+"use server";
+import { z } from "zod";
+import { auth } from "@/lib/auth";
+
+const UpdateProfileSchema = z.object({
+  name: z.string().min(1).max(100).trim(),
+});
+
+async function updateProfile(formData: FormData) {
+  const session = await auth();
+  if (!session?.user) throw new Error("Unauthorized");
+  const result = UpdateProfileSchema.safeParse({ name: formData.get("name") });
+  if (!result.success) throw new Error("Invalid input");
+  await db.user.update({
+    where: { id: session.user.id },
+    data: { name: result.data.name },
+  });
+}
+
+// middleware.ts — centralized auth
+import { NextResponse } from "next/server";
+import type { NextRequest } from "next/server";
+
+const publicPaths = ["/login", "/register", "/api/health"];
+
+export function middleware(request: NextRequest) {
+  if (publicPaths.some((p) => request.nextUrl.pathname.startsWith(p))) {
+    return NextResponse.next();
+  }
+  const token = request.cookies.get("session-token")?.value;
+  if (!token) return NextResponse.redirect(new URL("/login", request.url));
+  return NextResponse.next();
+}
+
+export const config = { matcher: ["/((?!_next/static|favicon.ico).*)"] };
+
+// Environment variables: no NEXT_PUBLIC_ prefix for secrets
+// DATABASE_URL=postgresql://...  (server-only, no prefix)
+// NEXT_PUBLIC_APP_URL=https://app.example.com  (safe to expose)
+
+// server-only guard
+import "server-only";
+import { db } from "@/lib/db";
+
+export async function getSecretConfig() {
+  return db.config.findFirst(); // Build error if imported by client component
+}
+
+// Secure cookie setting
+import { cookies } from "next/headers";
+
+async function setSessionCookie(token: string) {
+  const cookieStore = await cookies();
+  cookieStore.set("session-token", token, {
+    httpOnly: true,
+    secure: true,
+    sameSite: "strict",
+    maxAge: 60 * 60 * 24, // 1 day
+    path: "/",
+  });
+}
+```
+
+## Quick Checklist
+- [ ] All Server Actions validate inputs with Zod or equivalent schema validation
+- [ ] `middleware.ts` enforces authentication on all protected routes
+- [ ] No secrets or internal URLs use the `NEXT_PUBLIC_` prefix
+- [ ] API routes use named method exports (`GET`, `POST`) instead of catch-all handlers
+- [ ] ISR/SSG pages contain only public, non-sensitive data
+- [ ] Cookies are set with `httpOnly`, `secure`, and `sameSite` flags
+- [ ] Server-only files use `import "server-only"` as a compile-time guard