secure-coding-rules 2.0.0

package/src/index.js

@@ -0,0 +1,177 @@
+/**
+ * secure-rules - OWASP 2025 Security Rules Generator for AI Coding Assistants
+ *
+ * Generates security coding rules in the format of your preferred AI tool:
+ * - CLAUDE.md (Claude Code)
+ * - .cursor/rules/*.mdc (Cursor)
+ * - .windsurf/rules/*.md (Windsurf)
+ * - .github/copilot-instructions.md (GitHub Copilot)
+ * - AGENTS.md (vendor-neutral)
+ */
+
+import { mkdir, readFile, writeFile } from 'node:fs/promises';
+import { readFileSync, existsSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { promptUser } from './prompts.js';
+import { loadTemplates } from './loader.js';
+
+// Adapter imports
+import * as claudeAdapter from './adapters/claude.js';
+import * as cursorAdapter from './adapters/cursor.js';
+import * as windsurfAdapter from './adapters/windsurf.js';
+import * as copilotAdapter from './adapters/copilot.js';
+import * as agentsAdapter from './adapters/agents.js';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+function getVersion() {
+  try {
+    const pkg = JSON.parse(
+      readFileSync(join(__dirname, '..', 'package.json'), 'utf-8')
+    );
+    return pkg.version;
+  } catch {
+    return '2.0.0';
+  }
+}
+
+const adapters = {
+  claude: claudeAdapter,
+  cursor: cursorAdapter,
+  windsurf: windsurfAdapter,
+  copilot: copilotAdapter,
+  agents: agentsAdapter,
+};
+
+export async function run() {
+  const args = process.argv.slice(2);
+  const version = getVersion();
+
+  // Help flag
+  if (args.includes('--help') || args.includes('-h')) {
+    printHelp(version);
+    return;
+  }
+
+  // Version flag
+  if (args.includes('--version') || args.includes('-v')) {
+    console.log(`secure-coding-rules v${version}`);
+    return;
+  }
+
+  const config = await promptUser(args);
+
+  // --check returns null to signal early exit
+  if (config === null) return;
+
+  const adapter = adapters[config.tool];
+
+  console.log(`\nLoading security templates...`);
+  const templates = await loadTemplates(config.categories);
+
+  if (templates.size === 0) {
+    console.error('No templates found. Please check your installation.');
+    process.exit(1);
+  }
+
+  console.log(`Loaded ${templates.size} security rule modules.`);
+
+  const cwd = process.cwd();
+  const options = { framework: config.framework, version };
+
+  if (config.tool === 'cursor') {
+    await generateMultipleFiles(cursorAdapter, templates, options, cwd);
+  } else if (config.tool === 'windsurf') {
+    await generateMultipleFiles(windsurfAdapter, templates, options, cwd);
+  } else {
+    await generateSingleFile(adapter, templates, options, cwd);
+  }
+
+  console.log('\n✅ Security rules generated successfully!');
+  console.log('📖 Based on OWASP Top 10 2025 (https://owasp.org/Top10/2025/)');
+  console.log('\nRun again anytime to update: npx secure-coding-rules\n');
+}
+
+async function generateSingleFile(adapter, templates, options, cwd) {
+  const outputPath = join(cwd, adapter.outputPath);
+  const dir = dirname(outputPath);
+
+  if (!existsSync(dir)) {
+    await mkdir(dir, { recursive: true });
+  }
+
+  const newContent = adapter.format(templates, options);
+
+  if (existsSync(outputPath) && adapter.merge) {
+    const existing = await readFile(outputPath, 'utf-8');
+    const merged = adapter.merge(existing, newContent);
+    await writeFile(outputPath, merged, 'utf-8');
+    console.log(`\n📝 Updated: ${adapter.outputPath} (merged with existing content)`);
+  } else {
+    await writeFile(outputPath, newContent, 'utf-8');
+    console.log(`\n📝 Created: ${adapter.outputPath}`);
+  }
+}
+
+async function generateMultipleFiles(adapter, templates, options, cwd) {
+  const outputDir = join(cwd, adapter.outputDir);
+
+  if (!existsSync(outputDir)) {
+    await mkdir(outputDir, { recursive: true });
+  }
+
+  const files = adapter.formatMultiple(templates, options);
+  let count = 0;
+
+  for (const [filename, content] of files) {
+    const filePath = join(outputDir, filename);
+    await writeFile(filePath, content, 'utf-8');
+    count++;
+  }
+
+  console.log(`\n📝 Generated ${count} files in ${adapter.outputDir}/`);
+}
+
+function printHelp(version) {
+  console.log(`
+secure-coding-rules v${version}
+
+OWASP 2025 기반 JavaScript 보안 코딩 룰을 AI 코딩 어시스턴트에 자동 적용
+
+Usage:
+  npx secure-coding-rules              Interactive mode (auto-detects project)
+  npx secure-coding-rules --yes        Apply all rules with smart defaults
+  npx secure-coding-rules --check      Show current project security status
+
+Options:
+  -y, --yes      Non-interactive mode (auto-detects tool & framework)
+  --check        Show which AI tools and frameworks are detected
+  -h, --help     Show this help
+  -v, --version  Show version
+
+Supported AI Tools:
+  - Claude Code    → CLAUDE.md
+  - Cursor         → .cursor/rules/*.mdc
+  - Windsurf       → .windsurf/rules/*.md
+  - GitHub Copilot → .github/copilot-instructions.md
+  - AGENTS.md      → AGENTS.md (vendor-neutral)
+
+Security Categories (OWASP Top 10 2025):
+  A01: Broken Access Control
+  A02: Security Misconfiguration
+  A03: Supply Chain Failures (NEW in 2025)
+  A04: Cryptographic Failures
+  A05: Injection
+  A06: Insecure Design
+  A07: Authentication Failures
+  A08: Data Integrity Failures
+  A09: Logging & Alerting Failures
+  A10: Error Handling (NEW in 2025)
+
+  + Frontend: XSS, CSRF, CSP, Secure State Management
+
+Homepage: https://github.com/user/secure-coding-rules
+`);
+}

package/src/loader.js

@@ -0,0 +1,85 @@
+/**
+ * Template loader - reads modular security rule files
+ */
+
+import { readFile } from 'node:fs/promises';
+import { fileURLToPath } from 'node:url';
+import { dirname, join } from 'node:path';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const TEMPLATES_DIR = join(__dirname, 'templates');
+
+const CORE_CATEGORIES = [
+  'access-control',
+  'security-config',
+  'supply-chain',
+  'cryptographic',
+  'injection',
+  'secure-design',
+  'authentication',
+  'data-integrity',
+  'logging-alerting',
+  'error-handling',
+];
+
+const FRONTEND_CATEGORIES = [
+  'xss-prevention',
+  'csrf-protection',
+  'csp',
+  'secure-state',
+];
+
+/**
+ * Load a single template file by category name
+ */
+export async function loadTemplate(category) {
+  const subdir = CORE_CATEGORIES.includes(category) ? 'core' : 'frontend';
+  const filePath = join(TEMPLATES_DIR, subdir, `${category}.md`);
+  try {
+    return await readFile(filePath, 'utf-8');
+  } catch {
+    console.warn(`Warning: Template not found: ${category}`);
+    return null;
+  }
+}
+
+/**
+ * Load multiple templates and return as Map<category, content>
+ */
+export async function loadTemplates(categories) {
+  const templates = new Map();
+  const results = await Promise.all(
+    categories.map(async (cat) => {
+      const content = await loadTemplate(cat);
+      return [cat, content];
+    })
+  );
+  for (const [cat, content] of results) {
+    if (content) templates.set(cat, content);
+  }
+  return templates;
+}
+
+/**
+ * Get category metadata
+ */
+export function getCategoryInfo(category) {
+  const info = {
+    'access-control': { owasp: 'A01', title: 'Broken Access Control', group: 'core' },
+    'security-config': { owasp: 'A02', title: 'Security Misconfiguration', group: 'core' },
+    'supply-chain': { owasp: 'A03', title: 'Supply Chain Failures', group: 'core' },
+    'cryptographic': { owasp: 'A04', title: 'Cryptographic Failures', group: 'core' },
+    'injection': { owasp: 'A05', title: 'Injection', group: 'core' },
+    'secure-design': { owasp: 'A06', title: 'Insecure Design', group: 'core' },
+    'authentication': { owasp: 'A07', title: 'Authentication Failures', group: 'core' },
+    'data-integrity': { owasp: 'A08', title: 'Data Integrity Failures', group: 'core' },
+    'logging-alerting': { owasp: 'A09', title: 'Logging & Alerting Failures', group: 'core' },
+    'error-handling': { owasp: 'A10', title: 'Error Handling', group: 'core' },
+    'xss-prevention': { owasp: 'FE-01', title: 'XSS Prevention', group: 'frontend' },
+    'csrf-protection': { owasp: 'FE-02', title: 'CSRF Protection', group: 'frontend' },
+    'csp': { owasp: 'FE-03', title: 'Content Security Policy', group: 'frontend' },
+    'secure-state': { owasp: 'FE-04', title: 'Secure State Management', group: 'frontend' },
+  };
+  return info[category] || { owasp: '??', title: category, group: 'unknown' };
+}

package/src/prompts.js

@@ -0,0 +1,307 @@
+/**
+ * Interactive CLI prompts using Node.js built-in readline
+ * Zero dependencies - works with Node.js 18+
+ */
+
+import { createInterface } from 'node:readline';
+import { existsSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+
+// ─── Readline helpers ────────────────────────────────────────────
+
+const rl = () =>
+  createInterface({ input: process.stdin, output: process.stdout });
+
+function ask(question) {
+  return new Promise((resolve) => {
+    const r = rl();
+    r.question(question, (answer) => {
+      r.close();
+      resolve(answer.trim());
+    });
+  });
+}
+
+function printOptions(options) {
+  options.forEach((opt, i) => {
+    const marker = opt.detected ? ' (detected)' : '';
+    console.log(`  ${i + 1}) ${opt.label}${marker}`);
+  });
+}
+
+async function selectOne(question, options) {
+  console.log(`\n${question}`);
+  printOptions(options);
+  const answer = await ask(`\nSelect (1-${options.length}): `);
+  const idx = parseInt(answer, 10) - 1;
+  if (idx >= 0 && idx < options.length) return options[idx].value;
+  console.log('Invalid selection, defaulting to first option.');
+  return options[0].value;
+}
+
+async function selectMultiple(question, options) {
+  console.log(`\n${question}`);
+  printOptions(options);
+  console.log(`  0) All`);
+  const answer = await ask(
+    `\nSelect (comma-separated, e.g. 1,3,5 or 0 for all): `
+  );
+
+  if (answer === '0' || answer.toLowerCase() === 'all') {
+    return options.map((o) => o.value);
+  }
+
+  const indices = answer
+    .split(',')
+    .map((s) => parseInt(s.trim(), 10) - 1)
+    .filter((i) => i >= 0 && i < options.length);
+
+  if (indices.length === 0) {
+    console.log('No valid selection, selecting all.');
+    return options.map((o) => o.value);
+  }
+
+  return indices.map((i) => options[i].value);
+}
+
+async function confirm(question) {
+  const answer = await ask(`\n${question} (Y/n): `);
+  return answer.toLowerCase() !== 'n';
+}
+
+// ─── Constants ───────────────────────────────────────────────────
+
+export const AI_TOOLS = [
+  { label: 'Claude Code (CLAUDE.md)', value: 'claude' },
+  { label: 'Cursor (.cursor/rules/)', value: 'cursor' },
+  { label: 'Windsurf (.windsurf/rules/)', value: 'windsurf' },
+  { label: 'GitHub Copilot (.github/copilot-instructions.md)', value: 'copilot' },
+  { label: 'AGENTS.md (vendor-neutral)', value: 'agents' },
+];
+
+export const FRAMEWORKS = [
+  { label: 'React / Next.js', value: 'react' },
+  { label: 'Vue / Nuxt', value: 'vue' },
+  { label: 'Node.js / Express', value: 'node' },
+  { label: 'Vanilla JavaScript / TypeScript', value: 'vanilla' },
+];
+
+export const SECURITY_CATEGORIES = [
+  { label: 'A01: Broken Access Control', value: 'access-control' },
+  { label: 'A02: Security Misconfiguration', value: 'security-config' },
+  { label: 'A03: Supply Chain Failures', value: 'supply-chain' },
+  { label: 'A04: Cryptographic Failures', value: 'cryptographic' },
+  { label: 'A05: Injection', value: 'injection' },
+  { label: 'A06: Insecure Design', value: 'secure-design' },
+  { label: 'A07: Authentication Failures', value: 'authentication' },
+  { label: 'A08: Data Integrity Failures', value: 'data-integrity' },
+  { label: 'A09: Logging & Alerting Failures', value: 'logging-alerting' },
+  { label: 'A10: Error Handling', value: 'error-handling' },
+  { label: 'Frontend: XSS Prevention', value: 'xss-prevention' },
+  { label: 'Frontend: CSRF Protection', value: 'csrf-protection' },
+  { label: 'Frontend: CSP', value: 'csp' },
+  { label: 'Frontend: Secure State Management', value: 'secure-state' },
+];
+
+// ─── Project state detection ─────────────────────────────────────
+
+/**
+ * Detect the current project environment:
+ * - Which AI tool configs already exist
+ * - What framework is being used (via package.json)
+ * - Whether this is a new or existing project
+ */
+export function detectProjectState(cwd) {
+  const state = {
+    hasPackageJson: existsSync(join(cwd, 'package.json')),
+    detectedTools: [],
+    detectedFramework: null,
+    existingRules: {},
+  };
+
+  // Detect existing AI tool configs
+  const toolPaths = {
+    claude: 'CLAUDE.md',
+    cursor: '.cursor/rules',
+    windsurf: '.windsurf/rules',
+    copilot: '.github/copilot-instructions.md',
+    agents: 'AGENTS.md',
+  };
+
+  for (const [tool, path] of Object.entries(toolPaths)) {
+    const fullPath = join(cwd, path);
+    if (existsSync(fullPath)) {
+      state.detectedTools.push(tool);
+      state.existingRules[tool] = fullPath;
+    }
+  }
+
+  // Detect framework from package.json dependencies
+  if (state.hasPackageJson) {
+    try {
+      const pkg = JSON.parse(
+        readFileSync(join(cwd, 'package.json'), 'utf-8')
+      );
+      const allDeps = {
+        ...pkg.dependencies,
+        ...pkg.devDependencies,
+      };
+      if (allDeps.next || allDeps.react) state.detectedFramework = 'react';
+      else if (allDeps.nuxt || allDeps.vue) state.detectedFramework = 'vue';
+      else if (allDeps.express || allDeps.fastify || allDeps.koa)
+        state.detectedFramework = 'node';
+      else state.detectedFramework = 'vanilla';
+    } catch {
+      // Ignore parse errors
+    }
+  }
+
+  return state;
+}
+
+/**
+ * Print a summary of the detected project state
+ */
+export function printProjectStatus(state) {
+  console.log('\n📋 Project Status:');
+
+  if (state.detectedTools.length > 0) {
+    const toolNames = state.detectedTools
+      .map((t) => AI_TOOLS.find((a) => a.value === t)?.label || t)
+      .join(', ');
+    console.log(`  AI tools detected: ${toolNames}`);
+  } else {
+    console.log('  No AI tool configs found (new setup)');
+  }
+
+  if (state.detectedFramework) {
+    const fwName =
+      FRAMEWORKS.find((f) => f.value === state.detectedFramework)?.label ||
+      state.detectedFramework;
+    console.log(`  Framework detected: ${fwName}`);
+  }
+
+  if (!state.hasPackageJson) {
+    console.log('  No package.json found (works fine - rules will be created in current directory)');
+  }
+}
+
+// ─── Main prompt flow ────────────────────────────────────────────
+
+function isInteractive() {
+  return process.stdin.isTTY === true;
+}
+
+export async function promptUser(args) {
+  const cwd = process.cwd();
+  const state = detectProjectState(cwd);
+
+  // --check flag: just show status and exit (must be before auto-mode check)
+  if (args.includes('--check')) {
+    printProjectStatus(state);
+    return null; // Signal to index.js to exit early
+  }
+
+  // Non-interactive mode: --yes flag or non-TTY environment
+  if (args.includes('--yes') || args.includes('-y') || !isInteractive()) {
+    if (!isInteractive() && !args.includes('--yes') && !args.includes('-y')) {
+      console.log('Non-interactive environment detected, using defaults.');
+    }
+
+    // Smart defaults based on detection
+    const tool =
+      state.detectedTools.length === 1
+        ? state.detectedTools[0]
+        : state.detectedTools.includes('claude')
+          ? 'claude'
+          : 'claude';
+
+    return {
+      tool,
+      framework: state.detectedFramework || 'vanilla',
+      categories: SECURITY_CATEGORIES.map((c) => c.value),
+      includeFrontend: (state.detectedFramework || 'vanilla') !== 'node',
+    };
+  }
+
+  // Interactive mode
+  console.log('\n🔒 Secure Coding Rules - OWASP 2025 Security Rules Generator\n');
+  console.log('─'.repeat(55));
+  printProjectStatus(state);
+
+  // AI tool selection - highlight detected ones
+  const toolOptions = AI_TOOLS.map((t) => ({
+    ...t,
+    detected: state.detectedTools.includes(t.value),
+  }));
+
+  // If only one tool detected, suggest it first
+  if (state.detectedTools.length === 1) {
+    const detected = state.detectedTools[0];
+    const idx = toolOptions.findIndex((t) => t.value === detected);
+    if (idx > 0) {
+      const [item] = toolOptions.splice(idx, 1);
+      toolOptions.unshift(item);
+    }
+  }
+
+  const tool = await selectOne('Which AI coding tool do you use?', toolOptions);
+
+  // Framework selection - auto-suggest detected
+  const frameworkOptions = FRAMEWORKS.map((f) => ({
+    ...f,
+    detected: f.value === state.detectedFramework,
+  }));
+  if (state.detectedFramework) {
+    const idx = frameworkOptions.findIndex(
+      (f) => f.value === state.detectedFramework
+    );
+    if (idx > 0) {
+      const [item] = frameworkOptions.splice(idx, 1);
+      frameworkOptions.unshift(item);
+    }
+  }
+
+  const framework = await selectOne(
+    'What is your primary framework?',
+    frameworkOptions
+  );
+
+  // Update or fresh install message
+  if (state.existingRules[tool]) {
+    console.log(`\n  ℹ Existing rules found - will update security section only.`);
+  }
+
+  const allCategories = await confirm(
+    'Include all OWASP 2025 security categories?'
+  );
+
+  let categories;
+  if (allCategories) {
+    categories = SECURITY_CATEGORIES.map((c) => c.value);
+  } else {
+    categories = await selectMultiple(
+      'Select security categories:',
+      SECURITY_CATEGORIES
+    );
+  }
+
+  const includeFrontend =
+    framework !== 'node'
+      ? await confirm('Include frontend-specific security rules?')
+      : false;
+
+  if (includeFrontend) {
+    const frontendCats = [
+      'xss-prevention',
+      'csrf-protection',
+      'csp',
+      'secure-state',
+    ];
+    frontendCats.forEach((c) => {
+      if (!categories.includes(c)) categories.push(c);
+    });
+  }
+
+  return { tool, framework, categories, includeFrontend };
+}

package/src/templates/core/access-control.md

@@ -0,0 +1,112 @@
+# Access Control Security Rules
+
+> OWASP Top 10 2025 - A01: Broken Access Control
+
+## Rules
+
+### 1. Enforce Server-Side Access Control
+- **DO**: Validate all access control checks on the server side. Never rely solely on client-side checks.
+- **DON'T**: Hide UI elements as the only means of restricting access. Attackers bypass client-side controls trivially.
+- **WHY**: Client-side access control is purely cosmetic and can be bypassed by modifying requests directly.
+
+### 2. Deny by Default
+- **DO**: Implement a default-deny policy. Explicitly grant access only to resources the user is authorized for.
+- **DON'T**: Use a default-allow model where you try to block specific unauthorized access patterns.
+- **WHY**: Default-deny ensures new endpoints and resources are secure by default, reducing the risk of accidental exposure.
+
+### 3. Use Role-Based or Attribute-Based Access Control
+- **DO**: Implement RBAC or ABAC with clearly defined roles and permissions. Check permissions at every access point.
+- **DON'T**: Hardcode user IDs or permission checks scattered throughout business logic.
+- **WHY**: Centralized access control is easier to audit, maintain, and less prone to bypass.
+
+### 4. Validate Object-Level Authorization (IDOR Prevention)
+- **DO**: Verify the authenticated user has permission to access the specific resource identified by the request parameter.
+- **DON'T**: Trust client-supplied IDs (e.g., `/api/users/123/orders`) without verifying the requester owns that resource.
+- **WHY**: Insecure Direct Object Reference (IDOR) is one of the most common access control flaws, allowing users to access others' data.
+
+### 5. Enforce Function-Level Access Control
+- **DO**: Check authorization for every API endpoint and controller action, including admin functions.
+- **DON'T**: Assume that obscure or undocumented endpoints are safe from unauthorized access.
+- **WHY**: Attackers discover hidden endpoints through reconnaissance, API documentation leaks, or brute-force.
+
+### 6. Implement Rate Limiting on Sensitive Operations
+- **DO**: Apply rate limiting to authentication, password reset, and other sensitive endpoints.
+- **DON'T**: Allow unlimited requests to access-controlled endpoints without throttling.
+- **WHY**: Rate limiting mitigates brute-force attacks and automated enumeration of resources.
+
+### 7. Use Secure Session and Token Management
+- **DO**: Invalidate sessions and tokens on logout, password change, and after a configurable idle timeout.
+- **DON'T**: Issue long-lived tokens without refresh mechanisms or allow sessions to persist indefinitely.
+- **WHY**: Stale sessions and tokens expand the attack window for session hijacking.
+
+## Code Examples
+
+### Bad Practice
+```javascript
+// Trusting client-supplied user ID without authorization check
+app.get("/api/users/:userId/profile", async (req, res) => {
+  const profile = await db.getUserProfile(req.params.userId);
+  res.json(profile); // No check if requester owns this profile
+});
+
+// Client-side only access control
+function AdminPanel() {
+  const { user } = useAuth();
+  if (user.role !== "admin") return null; // Easily bypassed
+  return <SensitiveAdminUI />;
+}
+```
+
+### Good Practice
+```javascript
+// Server-side authorization check with IDOR prevention
+app.get("/api/users/:userId/profile", authenticate, async (req, res) => {
+  if (req.user.id !== req.params.userId && req.user.role !== "admin") {
+    return res.status(403).json({ error: "Forbidden" });
+  }
+  const profile = await db.getUserProfile(req.params.userId);
+  res.json(profile);
+});
+
+// Centralized RBAC middleware
+function authorize(...allowedRoles) {
+  return (req, res, next) => {
+    if (!req.user || !allowedRoles.includes(req.user.role)) {
+      return res.status(403).json({ error: "Forbidden" });
+    }
+    next();
+  };
+}
+
+app.delete("/api/users/:id", authenticate, authorize("admin"), deleteUser);
+
+// Policy-based access control
+class AccessPolicy {
+  static canAccess(user, resource) {
+    const policies = {
+      "order:read": (u, r) => u.id === r.ownerId || u.role === "admin",
+      "order:delete": (u, r) => u.role === "admin",
+    };
+    const check = policies[`${resource.type}:${resource.action}`];
+    return check ? check(user, resource) : false; // Default deny
+  }
+}
+
+app.get("/api/orders/:id", authenticate, async (req, res) => {
+  const order = await db.getOrder(req.params.id);
+  if (!AccessPolicy.canAccess(req.user, { ...order, type: "order", action: "read" })) {
+    return res.status(403).json({ error: "Forbidden" });
+  }
+  res.json(order);
+});
+```
+
+## Quick Checklist
+- [ ] All access control is enforced server-side
+- [ ] Default-deny policy is in place for all routes
+- [ ] Every API endpoint checks authorization (not just authentication)
+- [ ] Object-level authorization prevents IDOR attacks
+- [ ] Admin functions require explicit role verification
+- [ ] Sessions and tokens are invalidated on logout/password change
+- [ ] Rate limiting is applied to sensitive endpoints
+- [ ] Access control logic is centralized and reusable