secure-repo 1.0.0

package/LICENSE

@@ -0,0 +1,26 @@
+MIT License
+
+Copyright (c) 2026 Secure Repo
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+---
+
+NOTE: This MIT license applies to the free templates (templates/free/).
+Pro, premium, and preset templates are licensed separately under purchase terms.

package/README.md

@@ -0,0 +1,212 @@
+# Secure Repo
+
+**Drop production-grade security standards into any repository in 30 seconds.**
+
+```bash
+npx secure-repo init
+```
+
+That's it. Your repo now has battle-tested security policies, checklists, and enforcement rules used in real production SaaS applications.
+
+---
+
+## Audit Your Repo
+
+Not sure where you stand? Run an instant security audit:
+
+```bash
+npx secure-repo audit
+```
+
+```
+  secure-repo audit
+
+  Scanning repository for security issues...
+
+  Policy files:
+    [FAIL] SECURITY.md — missing (high priority)
+    [FAIL] AUTH.md — missing (high priority)
+    [FAIL] API.md — missing (high priority)
+    [warn] DATABASE.md — missing
+    [warn] DEPLOYMENT.md — missing
+
+  Environment files:
+    [pass] .env is in .gitignore
+    [pass] .env.example exists
+
+  Secret scanning:
+    [pass] No obvious secrets found in source files
+
+  ────────────────────────────────────
+  Results: 3 passed, 2 warnings, 3 issues
+  ────────────────────────────────────
+
+  3 issue(s) found. Fix these before shipping.
+  Run: npx secure-repo init
+```
+
+Zero setup. Zero dependencies. Just run it.
+
+---
+
+## The Problem
+
+You're building a SaaS app. You know you should have security policies, but:
+
+- Writing them from scratch takes days
+- You don't know what you're missing until something breaks
+- AI coding agents generate insecure code when there's no policy file to guide them
+- Your team has no shared standard for "how we handle auth" or "what counts as a safe API endpoint"
+
+## The Solution
+
+```bash
+npx secure-repo init
+```
+
+```
+  secure-repo - Adding production standards to your project
+
+  Free templates:
+    [done] SECURITY.md
+    [done] AUTH.md
+    [done] API.md
+
+  Done! 3 files added.
+```
+
+Every template is:
+
+- **Opinionated** — makes decisions so you don't have to
+- **Actionable** — every rule is verifiable, every pattern is copy-pastable
+- **AI-agent friendly** — coding agents read these files and write safer code
+
+---
+
+## What You Get (Free)
+
+Three templates that cover the foundations:
+
+**SECURITY.md** — No secrets in code. Privileged keys server-side only. Database access control mandatory. Server endpoints for all writes. Incident response steps.
+
+**AUTH.md** — JWT verification rules. Token storage (httpOnly cookies, not localStorage). Password hashing (bcrypt/argon2). Rate limiting on login. Session revocation. Role-based access.
+
+**API.md** — Input validation on every endpoint. Rate limiting on all public routes. Error responses that don't leak internals. Endpoint conventions. CORS rules. Pagination enforcement.
+
+Each file includes:
+- Rules marked "MUST FOLLOW"
+- Code patterns to copy
+- A "Required Checks Before Merge" checklist
+
+---
+
+## Pro Pack
+
+27 additional files for teams that want complete coverage. Sold separately.
+
+### Pro Templates (18 files)
+
+| Template | What it covers |
+|----------|---------------|
+| `DATABASE.md` | Access control patterns, migration safety, table design |
+| `DEPLOYMENT.md` | CI/CD pipeline, rollback procedures, zero-downtime deploys |
+| `INCIDENT_RESPONSE.md` | Severity levels, response steps, post-mortem template, runbooks |
+| `OBSERVABILITY.md` | Structured logging, PII redaction, alerting rules, health checks |
+| `TESTING.md` | Security test patterns with code examples |
+| `ENV_VARIABLES.md` | Secrets management, rotation, client vs server vars |
+| `PAYMENTS.md` | Stripe webhooks, subscription management, PCI rules |
+| `DATA_PRIVACY.md` | GDPR, retention schedules, account deletion flow |
+| `FILE_UPLOADS.md` | Upload validation, signed URLs, serving rules |
+| `RATE_LIMITING.md` | Per-endpoint limits, implementation patterns |
+| `THIRD_PARTY.md` | Integration inventory, webhook security, OAuth |
+| `ACCESS_CONTROL.md` | Roles, permissions, escalation, break-glass procedures |
+| `LOGGING_PII.md` | What to log, what to redact, compliance rules |
+| `PR_CHECKLIST.md` | Copy-paste security checklist for every PR |
+| `THREAT_MODEL.md` | Lightweight threat modeling template |
+| `VULNERABILITY_REPORTING.md` | Responsible disclosure policy |
+| `CONTRIBUTING_SECURITY.md` | Contributor security rules |
+| `POLICY_INDEX.md` | One-page index linking all policies |
+
+### Premium: 100+ Point Security Audit
+
+`FULL_AUDIT_CHECKLIST.md` — Complete production security audit with severity ratings, explanations for every item, and an audit summary template. This is what security consultants charge thousands to produce.
+
+### Stack Presets
+
+- **Supabase** — RLS policies, `auth.uid()` patterns, service role rules, function hardening (6 files)
+- **Firebase** — Firestore security rules, Firebase Auth, Cloud Functions, custom claims (3 files)
+
+### Code Examples
+
+- `next-route-handler.ts` — Secure API route with auth + validation + error handling
+- `rate-limit.ts` — Rate limiting middleware (in-memory + Redis)
+- `zod-validate.ts` — Reusable validation schemas
+- `supabase-rls.sql` — 8 RLS policy patterns
+- `firebase-rules.txt` — 8 Firestore rule patterns
+
+**Get the pro pack:** [polar.sh/third-space-labs](https://polar.sh/third-space-labs)
+
+After purchase, install with one command:
+
+```bash
+npx secure-repo init --key <your-license-key>
+```
+
+---
+
+## Commands
+
+```bash
+npx secure-repo init              # Add free security templates
+npx secure-repo init --key <key>  # Add free + pro templates (with license key)
+npx secure-repo audit             # Scan your repo for security issues
+npx secure-repo import <zip>      # Import pro templates from zip (offline)
+npx secure-repo check             # Check if your templates are outdated
+npx secure-repo list              # Show all available templates
+```
+
+---
+
+## Free vs Pro
+
+| | Free | Pro Pack |
+|--|------|---------|
+| Security audit command | Included | Included |
+| Core security policies (3 files) | Included | Included |
+| Deep engineering standards (18 files) | - | Included |
+| 100+ point audit checklist | - | Included |
+| Stack presets (Supabase, Firebase) | - | Included |
+| Code examples (5 files) | - | Included |
+| **Total policy files** | **3** | **30** |
+
+---
+
+## Why This Matters for AI-Assisted Development
+
+If you use Cursor, Claude Code, Copilot, or any AI coding agent — these files change how the agent writes code in your repo.
+
+When an AI agent sees `SECURITY.md` in your project root, it follows those rules. When it sees `API.md`, it validates input and handles errors correctly. When it sees `AUTH.md`, it checks tokens server-side.
+
+**Without policy files:** The agent guesses. It writes code that works but may not be secure.
+
+**With policy files:** The agent follows your standards. Every generated endpoint validates input, checks auth, and handles errors safely.
+
+Secure Repo gives your AI agents the rules they need to write production-safe code.
+
+---
+
+## Support This Project
+
+If Secure Repo helps you ship safer software, consider [sponsoring development](https://github.com/sponsors/sebiomoa).
+
+---
+
+## License
+
+Free templates (`templates/free/`) are [MIT licensed](LICENSE).
+
+Pro pack templates are licensed for personal and commercial use by the purchaser.
+
+---
+
+*This is not legal advice. These templates do not replace professional security audits for regulated industries. They are practical engineering tools for building more secure applications.*

package/bin/cli.js

@@ -0,0 +1,589 @@
+#!/usr/bin/env node
+
+const fs = require("fs");
+const path = require("path");
+const https = require("https");
+const { execSync } = require("child_process");
+
+const TEMPLATES_DIR = path.join(__dirname, "..", "templates");
+const FREE_DIR = path.join(TEMPLATES_DIR, "free");
+
+const POLAR_ORGANIZATION_ID = "d55baa70-3a94-4549-901a-2b4c920ff122";
+
+const PRO_ZIP_URL = "https://github.com/sebiomoa/secure-repo/releases/latest/download/secure-repo-pro.zip";
+
+const args = process.argv.slice(2);
+const command = args[0];
+
+// Files that a secure repo should have
+const RECOMMENDED_FILES = [
+  { file: "SECURITY.md", category: "security", severity: "high" },
+  { file: "AUTH.md", category: "security", severity: "high" },
+  { file: "API.md", category: "security", severity: "high" },
+  { file: "DATABASE.md", category: "security", severity: "medium" },
+  { file: "DEPLOYMENT.md", category: "operations", severity: "medium" },
+  { file: "INCIDENT_RESPONSE.md", category: "operations", severity: "medium" },
+  { file: "ENV_VARIABLES.md", category: "security", severity: "high" },
+  { file: "CONTRIBUTING.md", category: "process", severity: "low" },
+];
+
+// Known dangerous patterns to scan for
+const DANGER_PATTERNS = [
+  { pattern: /sk_live_[a-zA-Z0-9]+/, label: "Stripe live secret key" },
+  { pattern: /sk_test_[a-zA-Z0-9]+/, label: "Stripe test secret key" },
+  { pattern: /eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+/, label: "JWT token" },
+  { pattern: /SUPABASE_SERVICE_ROLE_KEY/, label: "Supabase service role key reference" },
+  { pattern: /password\s*[:=]\s*['"][^'"]+['"]/, label: "Hardcoded password" },
+  { pattern: /api[_-]?key\s*[:=]\s*['"][^'"]+['"]/, label: "Hardcoded API key" },
+];
+
+function printHelp() {
+  console.log(`
+  secure-repo - Production-grade security standards for your repo
+
+  Usage:
+    npx secure-repo init              Add free security templates
+    npx secure-repo init --key <key>  Add free + pro templates (requires license key)
+    npx secure-repo audit             Scan your repo for security issues
+    npx secure-repo import <file>     Import pro templates from a zip file (offline)
+    npx secure-repo check             Check which templates are outdated
+    npx secure-repo list              Show available free templates
+
+  Options:
+    --key      Your license key (from purchase)
+    --force    Overwrite existing files
+    --output   Output directory (default: current directory)
+
+  Free templates (always included):
+    SECURITY.md   Secrets management, attack surface, enforced architecture
+    AUTH.md        Token handling, session rules, password policy, roles
+    API.md         Input validation, rate limiting, error handling
+
+  Pro templates (purchase at https://polar.sh/third-space-labs):
+    30 additional files — templates, audit checklist, stack presets, examples
+    Install with: npx secure-repo init --key <your-license-key>
+  `);
+}
+
+function listTemplates() {
+  console.log("\n  Free templates (included):\n");
+  if (fs.existsSync(FREE_DIR)) {
+    fs.readdirSync(FREE_DIR).forEach((f) => console.log(`    ${f}`));
+  }
+
+  console.log("\n  Pro templates (sold separately):\n");
+  const proFiles = [
+    "DATABASE.md", "DEPLOYMENT.md", "INCIDENT_RESPONSE.md", "OBSERVABILITY.md",
+    "TESTING.md", "ENV_VARIABLES.md", "PAYMENTS.md", "DATA_PRIVACY.md",
+    "FILE_UPLOADS.md", "RATE_LIMITING.md", "THIRD_PARTY.md", "ACCESS_CONTROL.md",
+    "LOGGING_PII.md", "PR_CHECKLIST.md", "THREAT_MODEL.md",
+    "VULNERABILITY_REPORTING.md", "CONTRIBUTING_SECURITY.md", "POLICY_INDEX.md",
+  ];
+  proFiles.forEach((f) => console.log(`    ${f}`));
+
+  console.log("\n  Premium:\n");
+  console.log("    FULL_AUDIT_CHECKLIST.md (100+ point security audit)");
+
+  console.log("\n  Stack presets:\n");
+  console.log("    supabase/  (6 files)");
+  console.log("    firebase/  (3 files)");
+
+  console.log("\n  Code examples:\n");
+  console.log("    next-route-handler.ts, rate-limit.ts, zod-validate.ts");
+  console.log("    supabase-rls.sql, firebase-rules.txt");
+
+  console.log("\n  Get pro: https://polar.sh/third-space-labs\n");
+}
+
+function getArg(flag) {
+  const idx = args.indexOf(flag);
+  if (idx === -1 || idx + 1 >= args.length) return null;
+  return args[idx + 1];
+}
+
+function copyFiles(srcDir, destDir, force) {
+  if (!fs.existsSync(srcDir)) return { copied: 0, skipped: 0 };
+  if (!fs.existsSync(destDir)) fs.mkdirSync(destDir, { recursive: true });
+
+  const files = fs.readdirSync(srcDir);
+  let copied = 0;
+  let skipped = 0;
+
+  files.forEach((file) => {
+    const srcPath = path.join(srcDir, file);
+    if (fs.statSync(srcPath).isDirectory()) return;
+
+    const destPath = path.join(destDir, file);
+    if (fs.existsSync(destPath) && !force) {
+      console.log(`    [skip] ${file} (use --force to overwrite)`);
+      skipped++;
+    } else {
+      fs.copyFileSync(srcPath, destPath);
+      console.log(`    [done] ${file}`);
+      copied++;
+    }
+  });
+
+  return { copied, skipped };
+}
+
+// ============================================================
+// Polar license verification
+// ============================================================
+function verifyLicense(licenseKey) {
+  return new Promise((resolve, reject) => {
+    const postData = JSON.stringify({
+      key: licenseKey,
+      organization_id: POLAR_ORGANIZATION_ID,
+    });
+
+    const req = https.request(
+      {
+        hostname: "api.polar.sh",
+        path: "/v1/users/license-keys/validate",
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Content-Length": Buffer.byteLength(postData),
+        },
+      },
+      (res) => {
+        let data = "";
+        res.on("data", (chunk) => (data += chunk));
+        res.on("end", () => {
+          try {
+            const json = JSON.parse(data);
+            if (json.status === "granted" || json.status === "active") {
+              resolve(json);
+            } else {
+              const msg = typeof json.detail === "string" ? json.detail : "Invalid license key";
+              reject(new Error(msg));
+            }
+          } catch {
+            reject(new Error("Failed to verify license"));
+          }
+        });
+      }
+    );
+
+    req.on("error", (err) => reject(new Error(`Network error: ${err.message}`)));
+    req.write(postData);
+    req.end();
+  });
+}
+
+// ============================================================
+// Download file from URL
+// ============================================================
+function downloadFile(url, destPath) {
+  return new Promise((resolve, reject) => {
+    const file = fs.createWriteStream(destPath);
+
+    function follow(url) {
+      https.get(url, (res) => {
+        // Follow redirects
+        if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+          follow(res.headers.location);
+          return;
+        }
+
+        if (res.statusCode !== 200) {
+          reject(new Error(`Download failed (HTTP ${res.statusCode})`));
+          return;
+        }
+
+        res.pipe(file);
+        file.on("finish", () => {
+          file.close();
+          resolve();
+        });
+      }).on("error", (err) => {
+        fs.unlink(destPath, () => {});
+        reject(new Error(`Download error: ${err.message}`));
+      });
+    }
+
+    follow(url);
+  });
+}
+
+// ============================================================
+// Extract zip and install pro templates
+// ============================================================
+function installFromZip(zipPath, outputDir, force) {
+  const tempDir = path.join(outputDir, ".secure-repo-temp");
+
+  try {
+    fs.mkdirSync(tempDir, { recursive: true });
+    execSync(`unzip -o "${zipPath}" -d "${tempDir}"`, { stdio: "pipe" });
+
+    let totalCopied = 0;
+    let totalSkipped = 0;
+
+    // Copy pro templates
+    const proDir = path.join(tempDir, "pro");
+    if (fs.existsSync(proDir)) {
+      console.log("\n  Pro templates:");
+      const r = copyFiles(proDir, outputDir, force);
+      totalCopied += r.copied;
+      totalSkipped += r.skipped;
+    }
+
+    // Copy premium templates
+    const premiumDir = path.join(tempDir, "premium");
+    if (fs.existsSync(premiumDir)) {
+      console.log("\n  Premium:");
+      const r = copyFiles(premiumDir, outputDir, force);
+      totalCopied += r.copied;
+      totalSkipped += r.skipped;
+    }
+
+    // Copy presets
+    const presetsDir = path.join(tempDir, "presets");
+    if (fs.existsSync(presetsDir)) {
+      const presets = fs.readdirSync(presetsDir).filter((f) =>
+        fs.statSync(path.join(presetsDir, f)).isDirectory()
+      );
+      presets.forEach((preset) => {
+        const presetDest = path.join(outputDir, `${preset}-preset`);
+        console.log(`\n  Preset: ${preset} (-> ${preset}-preset/)`);
+        const r = copyFiles(path.join(presetsDir, preset), presetDest, force);
+        totalCopied += r.copied;
+        totalSkipped += r.skipped;
+      });
+    }
+
+    // Copy examples
+    const examplesDir = path.join(tempDir, "examples");
+    if (fs.existsSync(examplesDir)) {
+      const examplesDest = path.join(outputDir, "examples");
+      console.log("\n  Code examples (-> examples/):");
+      const r = copyFiles(examplesDir, examplesDest, force);
+      totalCopied += r.copied;
+      totalSkipped += r.skipped;
+    }
+
+    return { copied: totalCopied, skipped: totalSkipped };
+  } finally {
+    fs.rmSync(tempDir, { recursive: true, force: true });
+  }
+}
+
+// ============================================================
+// INIT — install templates (free, or free + pro with --key)
+// ============================================================
+async function init() {
+  const force = args.includes("--force");
+  const outputDir = getArg("--output") || process.cwd();
+  const licenseKey = getArg("--key");
+
+  if (licenseKey) {
+    // Pro install: verify key, download, extract
+    console.log("\n  secure-repo - Installing pro templates\n");
+    console.log("  Verifying license key...");
+
+    try {
+      await verifyLicense(licenseKey);
+      console.log("  License valid!\n");
+    } catch (err) {
+      console.log(`\n  License verification failed: ${err.message}`);
+      console.log("  Purchase at: https://polar.sh/third-space-labs\n");
+      process.exit(1);
+    }
+
+    // Install free templates first
+    console.log("  Free templates:");
+    const freeResult = copyFiles(FREE_DIR, outputDir, force);
+
+    // Download and install pro templates
+    const zipPath = path.join(outputDir, ".secure-repo-pro.zip");
+    console.log("\n  Downloading pro templates...");
+
+    try {
+      await downloadFile(PRO_ZIP_URL, zipPath);
+      const proResult = installFromZip(zipPath, outputDir, force);
+
+      const totalCopied = freeResult.copied + proResult.copied;
+      const totalSkipped = freeResult.skipped + proResult.skipped;
+
+      console.log(`\n  Done! ${totalCopied} files installed, ${totalSkipped} skipped.`);
+      console.log("\n  Next steps:");
+      console.log("    1. Customize the templates for your project");
+      console.log("    2. Run: npx secure-repo audit");
+      console.log();
+    } catch (err) {
+      console.log(`\n  Download failed: ${err.message}`);
+      console.log("  Try offline install: npx secure-repo import <zip-file>\n");
+      process.exit(1);
+    } finally {
+      // Clean up downloaded zip
+      if (fs.existsSync(zipPath)) fs.unlinkSync(zipPath);
+    }
+  } else {
+    // Free install
+    console.log("\n  secure-repo - Adding production standards to your project\n");
+
+    console.log("  Free templates:");
+    const result = copyFiles(FREE_DIR, outputDir, force);
+
+    console.log(`\n  Done! ${result.copied} files added, ${result.skipped} skipped.`);
+    console.log("\n  Next steps:");
+    console.log("    1. Customize the templates for your project");
+    console.log("    2. Run: npx secure-repo audit");
+    console.log("    3. Get pro templates: npx secure-repo init --key <your-key>");
+    console.log("       Purchase at: https://polar.sh/third-space-labs");
+    console.log();
+  }
+}
+
+// ============================================================
+// IMPORT — import pro templates from zip (offline fallback)
+// ============================================================
+function importPack() {
+  const zipPath = args[1];
+
+  if (!zipPath) {
+    console.log("\n  Usage: npx secure-repo import <path-to-zip>\n");
+    console.log("  Offline alternative to: npx secure-repo init --key <key>");
+    console.log("  Get the pro pack at: https://polar.sh/third-space-labs\n");
+    return;
+  }
+
+  const resolvedPath = path.resolve(zipPath);
+
+  if (!fs.existsSync(resolvedPath)) {
+    console.log(`\n  File not found: ${resolvedPath}\n`);
+    process.exit(1);
+  }
+
+  const force = args.includes("--force");
+  const outputDir = getArg("--output") || process.cwd();
+
+  console.log("\n  secure-repo - Importing pro templates\n");
+
+  // Install free templates too
+  console.log("  Free templates:");
+  const freeResult = copyFiles(FREE_DIR, outputDir, force);
+
+  try {
+    const proResult = installFromZip(resolvedPath, outputDir, force);
+
+    const totalCopied = freeResult.copied + proResult.copied;
+    const totalSkipped = freeResult.skipped + proResult.skipped;
+
+    console.log(`\n  Done! ${totalCopied} files imported, ${totalSkipped} skipped.\n`);
+  } catch (err) {
+    console.log(`\n  Failed to extract zip: ${err.message}\n`);
+    process.exit(1);
+  }
+}
+
+// ============================================================
+// AUDIT — scan repo for security issues (the viral command)
+// ============================================================
+function audit() {
+  const targetDir = getArg("--output") || process.cwd();
+
+  console.log("\n  secure-repo audit\n");
+  console.log("  Scanning repository for security issues...\n");
+
+  let issues = 0;
+  let warnings = 0;
+  let passed = 0;
+
+  // --- Check for recommended files ---
+  console.log("  Policy files:");
+  RECOMMENDED_FILES.forEach(({ file, severity }) => {
+    const filePath = path.join(targetDir, file);
+    if (fs.existsSync(filePath)) {
+      console.log(`    [pass] ${file}`);
+      passed++;
+    } else if (severity === "high") {
+      console.log(`    [FAIL] ${file} — missing (high priority)`);
+      issues++;
+    } else {
+      console.log(`    [warn] ${file} — missing`);
+      warnings++;
+    }
+  });
+
+  // --- Check .gitignore for .env ---
+  console.log("\n  Environment files:");
+  const gitignorePath = path.join(targetDir, ".gitignore");
+  if (fs.existsSync(gitignorePath)) {
+    const gitignore = fs.readFileSync(gitignorePath, "utf8");
+    if (gitignore.includes(".env")) {
+      console.log("    [pass] .env is in .gitignore");
+      passed++;
+    } else {
+      console.log("    [FAIL] .env is NOT in .gitignore");
+      issues++;
+    }
+  } else {
+    console.log("    [FAIL] No .gitignore found");
+    issues++;
+  }
+
+  // --- Check for committed .env files ---
+  const envFiles = [".env", ".env.local", ".env.production"];
+  envFiles.forEach((envFile) => {
+    const envPath = path.join(targetDir, envFile);
+    if (fs.existsSync(envPath)) {
+      console.log(`    [FAIL] ${envFile} exists in repo — may contain secrets`);
+      issues++;
+    }
+  });
+
+  // --- Check for .env.example ---
+  const envExamplePath = path.join(targetDir, ".env.example");
+  if (fs.existsSync(envExamplePath)) {
+    console.log("    [pass] .env.example exists");
+    passed++;
+  } else {
+    console.log("    [warn] .env.example missing — document required env vars");
+    warnings++;
+  }
+
+  // --- Scan for hardcoded secrets in common files ---
+  console.log("\n  Secret scanning:");
+  const scanExtensions = [".ts", ".tsx", ".js", ".jsx", ".mjs", ".env.example"];
+  let secretsFound = 0;
+
+  function scanDir(dir, depth) {
+    if (depth > 5) return;
+    if (!fs.existsSync(dir)) return;
+
+    const entries = fs.readdirSync(dir);
+    entries.forEach((entry) => {
+      if (entry.startsWith(".") || entry === "node_modules" || entry === ".next" || entry === "bin" || entry === "lib") return;
+      const fullPath = path.join(dir, entry);
+
+      try {
+        const stat = fs.statSync(fullPath);
+        if (stat.isDirectory()) {
+          scanDir(fullPath, depth + 1);
+        } else if (scanExtensions.some((ext) => entry.endsWith(ext))) {
+          const content = fs.readFileSync(fullPath, "utf8");
+          DANGER_PATTERNS.forEach(({ pattern, label }) => {
+            if (pattern.test(content)) {
+              const relative = path.relative(targetDir, fullPath);
+              console.log(`    [FAIL] ${relative} — ${label}`);
+              secretsFound++;
+              issues++;
+            }
+          });
+        }
+      } catch {
+        // skip unreadable files
+      }
+    });
+  }
+
+  scanDir(targetDir, 0);
+
+  if (secretsFound === 0) {
+    console.log("    [pass] No obvious secrets found in source files");
+    passed++;
+  }
+
+  // --- Check for HTTPS enforcement (look for http:// in env example) ---
+  console.log("\n  Configuration:");
+  if (fs.existsSync(envExamplePath)) {
+    const envExample = fs.readFileSync(envExamplePath, "utf8");
+    if (envExample.includes("http://") && !envExample.includes("localhost")) {
+      console.log("    [warn] .env.example contains http:// URLs (should be https://)");
+      warnings++;
+    } else {
+      console.log("    [pass] No insecure URLs in .env.example");
+      passed++;
+    }
+  }
+
+  // --- Check for package-lock.json or equivalent ---
+  const lockFiles = ["package-lock.json", "yarn.lock", "pnpm-lock.yaml", "bun.lockb"];
+  const hasLockFile = lockFiles.some((f) => fs.existsSync(path.join(targetDir, f)));
+  if (hasLockFile) {
+    console.log("    [pass] Dependency lock file exists");
+    passed++;
+  } else if (fs.existsSync(path.join(targetDir, "package.json"))) {
+    console.log("    [warn] No lock file found — pin your dependencies");
+    warnings++;
+  }
+
+  // --- Summary ---
+  console.log("\n  ────────────────────────────────────");
+  console.log(`  Results: ${passed} passed, ${warnings} warnings, ${issues} issues`);
+  console.log("  ────────────────────────────────────");
+
+  if (issues > 0) {
+    console.log(`\n  ${issues} issue(s) found. Fix these before shipping.`);
+    console.log("  Run: npx secure-repo init    (adds missing policy files)");
+  } else if (warnings > 0) {
+    console.log("\n  No critical issues. Some improvements recommended.");
+  } else {
+    console.log("\n  Looking good! Your repo meets basic security standards.");
+  }
+
+  console.log();
+  return issues;
+}
+
+// ============================================================
+// CHECK — compare local templates against latest version
+// ============================================================
+function check() {
+  const destDir = process.cwd();
+
+  console.log("\n  Checking installed templates...\n");
+
+  if (!fs.existsSync(FREE_DIR)) {
+    console.log("  Could not find template source files.\n");
+    return;
+  }
+
+  fs.readdirSync(FREE_DIR).forEach((file) => {
+    const localPath = path.join(destDir, file);
+    if (!fs.existsSync(localPath)) {
+      console.log(`    [missing] ${file}`);
+      return;
+    }
+    const local = fs.readFileSync(localPath, "utf8");
+    const latest = fs.readFileSync(path.join(FREE_DIR, file), "utf8");
+    if (local === latest) {
+      console.log(`    [current] ${file}`);
+    } else {
+      console.log(`    [outdated] ${file} — run init --force to update`);
+    }
+  });
+
+  console.log();
+}
+
+// ============================================================
+// Main
+// ============================================================
+switch (command) {
+  case "init":
+    init();
+    break;
+  case "audit":
+    audit();
+    break;
+  case "import":
+    importPack();
+    break;
+  case "list":
+    listTemplates();
+    break;
+  case "check":
+    check();
+    break;
+  case "help":
+  case "--help":
+  case "-h":
+    printHelp();
+    break;
+  default:
+    printHelp();
+    break;
+}

package/package.json

@@ -0,0 +1,34 @@
+{
+  "name": "secure-repo",
+  "version": "1.0.0",
+  "description": "Drop production-grade security standards into any repo. Audit your repo for security issues. Templates for AI-assisted development.",
+  "bin": {
+    "secure-repo": "./bin/cli.js"
+  },
+  "keywords": [
+    "security",
+    "audit",
+    "templates",
+    "saas",
+    "nextjs",
+    "supabase",
+    "firebase",
+    "production",
+    "standards",
+    "authentication",
+    "api-security",
+    "security-audit",
+    "checklist",
+    "devtools",
+    "ai-coding"
+  ],
+  "author": "sebiomoa",
+  "license": "MIT",
+  "files": [
+    "bin/",
+    "templates/free/"
+  ],
+  "engines": {
+    "node": ">=16"
+  }
+}

package/templates/free/API.md

@@ -0,0 +1,111 @@
+# API Standards
+
+All API endpoints in this repository must follow these rules. Insecure or unvalidated endpoints are the most common attack vector in modern web apps.
+
+## Rules (MUST FOLLOW)
+
+- **Validate all input**
+  - Every endpoint must validate request body, query params, and path params.
+  - Use a schema validation library (e.g. zod, yup, joi).
+  - Reject invalid payloads with 400 and a safe error message.
+  - Never pass raw user input to database queries or system commands.
+
+- **Rate limit all public endpoints**
+  - Login, signup, password reset: strict limits (5-10 req/min per IP).
+  - Public read endpoints: moderate limits (60-120 req/min per IP).
+  - Authenticated endpoints: per-user limits where appropriate.
+  - Return 429 when limits are exceeded.
+
+- **Authenticate before processing**
+  - Protected endpoints must verify auth before any business logic runs.
+  - Check auth first, validate input second, then process.
+  - Return 401 for missing auth, 403 for insufficient permissions.
+
+- **Never expose internal errors**
+  - Return generic error messages to clients (e.g. "Something went wrong").
+  - Log full error details server-side only.
+  - Never leak stack traces, SQL errors, or internal paths in responses.
+
+- **Use consistent error format**
+  ```json
+  {
+    "error": {
+      "code": "VALIDATION_ERROR",
+      "message": "Email is required."
+    }
+  }
+  ```
+
+- **Idempotency for write operations**
+  - POST endpoints that create resources should support idempotency keys where possible.
+  - PUT and DELETE must be idempotent by design.
+
+## Endpoint Conventions
+
+### Naming
+
+```
+GET    /api/resources          -> list
+GET    /api/resources/:id      -> get one
+POST   /api/resources          -> create
+PUT    /api/resources/:id      -> update (full replace)
+PATCH  /api/resources/:id      -> update (partial)
+DELETE /api/resources/:id      -> delete
+```
+
+### Response codes
+
+| Code | Use |
+|------|-----|
+| 200 | Successful read or update |
+| 201 | Successful creation |
+| 204 | Successful deletion (no body) |
+| 400 | Invalid input |
+| 401 | Not authenticated |
+| 403 | Not authorized |
+| 404 | Resource not found |
+| 409 | Conflict (duplicate, version mismatch) |
+| 429 | Rate limited |
+| 500 | Server error (never expose details) |
+
+## Request/Response Rules
+
+- **Content-Type**: Always set and check `Content-Type: application/json` for JSON endpoints.
+- **CORS**: Only allow specific origins. Never use `*` on authenticated endpoints.
+- **Pagination**: List endpoints must support pagination. Default limit: 20-50. Max limit: 100.
+- **Filtering**: Validate filter params against an allowlist. Never pass raw filter values to queries.
+
+## Server Route Pattern (Next.js)
+
+Every API route should follow this structure:
+
+```typescript
+export async function POST(request: Request) {
+  // 1. Authenticate
+  const session = await verifySession(request);
+  if (!session) return Response.json({ error: { code: "UNAUTHORIZED" } }, { status: 401 });
+
+  // 2. Validate input
+  const body = await request.json();
+  const parsed = schema.safeParse(body);
+  if (!parsed.success) return Response.json({ error: { code: "VALIDATION_ERROR" } }, { status: 400 });
+
+  // 3. Process
+  const result = await doTheThing(parsed.data);
+
+  // 4. Respond
+  return Response.json(result, { status: 200 });
+}
+```
+
+## Required Checks Before Merge
+
+Before merging any API changes:
+
+- [ ] All inputs are validated with a schema
+- [ ] Rate limiting is configured for public endpoints
+- [ ] Auth is checked before business logic
+- [ ] Error responses do not leak internal details
+- [ ] CORS is configured for specific origins only
+- [ ] New endpoints are documented
+- [ ] No raw user input reaches database queries or shell commands

package/templates/free/AUTH.md

@@ -0,0 +1,99 @@
+# Authentication & Authorization Policy
+
+This repository handles authenticated user sessions and role-based access. Authentication mistakes can expose user data or privileged operations.
+
+Treat all authentication logic as **security-critical**.
+
+## Rules (MUST FOLLOW)
+
+- **Never trust client authentication state**
+  - The server must always verify tokens or sessions.
+  - Client-side auth state is for UI rendering only.
+
+- **JWT tokens must be verified server-side**
+  - Verify signature against your secret/public key.
+  - Verify expiration (`exp` claim).
+  - Verify issuer (`iss`) and audience (`aud`) if applicable.
+  - Reject tokens that fail any check.
+
+- **Use short-lived access tokens**
+  - Access tokens: 15 minutes or less.
+  - Refresh tokens: rotate on every use, invalidate old ones.
+  - Never reuse refresh tokens.
+
+- **Do not store tokens in localStorage**
+  - Prefer `httpOnly`, `Secure`, `SameSite=Strict` cookies.
+  - If localStorage is unavoidable, document the risk and compensate with short TTLs.
+
+- **Session revocation must be supported**
+  - Users must be able to log out of all devices.
+  - Token revocation or session invalidation must be server-enforced.
+
+- **Password rules**
+  - Minimum 8 characters. No maximum below 128.
+  - Use bcrypt, scrypt, or argon2 for hashing. Never SHA-256 or MD5 for passwords.
+  - Enforce rate limiting on login attempts (max 5 per minute per IP/account).
+
+- **Magic link / OTP rules**
+  - Links and codes expire within 10 minutes.
+  - Single use only. Invalidate after first use.
+  - Rate limit generation (max 3 per 15 minutes per email).
+
+## Authorization Model
+
+Use role-based access control (RBAC).
+
+### Default roles:
+
+| Role | Description |
+|------|-------------|
+| `anonymous` | Unauthenticated visitor. Read-only public data. |
+| `authenticated` | Logged-in user. Access own data only. |
+| `admin` | Full access. Verified server-side. |
+
+### Rules:
+
+- Admin actions must require server-side role verification.
+- Never trust role claims sent from the client.
+- Roles must be validated against database state, not just JWT claims.
+- Role escalation (user -> admin) must require re-authentication.
+
+## Protected Endpoints
+
+All endpoints requiring authentication must:
+
+1. Verify session or JWT before processing.
+2. Validate request input with a schema (e.g. zod).
+3. Enforce role-based permissions.
+4. Return 401 for missing auth, 403 for insufficient permissions.
+
+### Endpoint patterns:
+
+```
+/api/user/**     -> requires authenticated role
+/api/account/**  -> requires authenticated role + ownership check
+/api/admin/**    -> requires admin role (verified server-side)
+```
+
+## Common Auth Vulnerabilities To Avoid
+
+- Accepting expired or malformed tokens
+- Storing tokens in unsafe storage (localStorage, query params, cookies without httpOnly)
+- Trusting client-provided role claims
+- Allowing unauthenticated password reset flows
+- Missing brute-force protections on login
+- Not invalidating sessions on password change
+- Open redirect after login (validate redirect URLs server-side)
+- CSRF on state-changing auth endpoints (use SameSite cookies or CSRF tokens)
+
+## Required Checks Before Merge
+
+Before merging any authentication-related changes:
+
+- [ ] Session/token verification works correctly server-side
+- [ ] Protected endpoints reject anonymous users with 401
+- [ ] Admin routes require and verify admin role server-side
+- [ ] Tokens expire correctly and cannot be reused after expiration
+- [ ] Password changes invalidate existing sessions
+- [ ] Rate limiting is active on login and token generation endpoints
+- [ ] No auth tokens appear in URLs, logs, or error messages

package/templates/free/SECURITY.md

@@ -0,0 +1,117 @@
+# Security Policy
+
+This repository handles production user data and privileged database access. Treat security requirements as **non-optional**.
+
+## Agent Rules (MUST FOLLOW)
+
+- **No secrets in code**
+  - Never commit: Database passwords, JWT secrets, API keys, service account keys, or admin credentials.
+  - Client-side env vars must be limited to public-safe values only (e.g. public API URLs, publishable keys).
+
+- **Assume public keys are public**
+  - Anyone can extract client-side keys from a web app.
+  - All data protection must be enforced via database access control, safe RPCs, and server-side checks.
+
+- **Privileged key usage**
+  - Admin or service-level keys may only be used in:
+    - Server-side route handlers (e.g. Next.js `src/app/api/**`, Express routes)
+    - Serverless functions or edge functions
+    - Trusted backend workers
+  - Never expose privileged keys to the browser.
+
+- **Database access control is mandatory**
+  - Any table with user data must have access control (row-level security, middleware checks, or ORM-level policies).
+  - Avoid permissive write rules that allow any user to insert or modify any row.
+
+- **Prefer server endpoints for public write actions**
+  - Any endpoint that records data (analytics, clicks, form submissions) must:
+    - Validate input (e.g. zod)
+    - Apply rate limits
+    - Use server-side database writes with privileged credentials
+  - Client components must not write to the database directly. Use a server route.
+
+- **Function and procedure hardening**
+  - Database functions that run with elevated privileges must:
+    - Have a fixed, safe execution context.
+    - Restrict execution to the roles that need it.
+
+- **Do not increase attack surface**
+  - Do not attach privileged objects to `window` or global scope unless strictly required.
+  - Avoid broad CORS (`*`) except where explicitly intended and reviewed.
+
+## Required Checks Before Merge
+
+- **Repository scan**
+  - Search for leaked keys:
+    - Database passwords or connection strings
+    - JWTs (`eyJ...`)
+    - Any secret keys, tokens, or credentials
+
+- **Database review** (required after any DB/access control change)
+  - Verify access control policies cover new tables and columns.
+  - Run security and performance checks available in your database platform.
+
+- **Verify public write paths**
+  - Confirm no tables allow anonymous inserts without validation/rate limiting.
+  - Confirm any public write action is routed through a server endpoint.
+
+## Patterns To Use
+
+- **Server-side event tracking**
+  - Use a server API route with rate limiting and privileged database writes.
+  - Example endpoints:
+    - `/api/track-click` -> records event via server-side DB client
+    - `/api/track-event` -> records event via server-side DB client
+
+- **Restrict direct database function execution**
+  - Sensitive database functions must not be callable by anonymous or public roles.
+  - Execution should be restricted to server-side service accounts.
+
+- **Public analytics**
+  - Prefer a server endpoint that accepts sanitized payloads and enforces bot checks.
+
+- **Admin-only actions**
+  - Admin endpoints must use privileged database credentials and proper authorization.
+  - Avoid using public/anonymous database clients inside admin routes.
+
+## Enforced Architecture
+
+### Option A: Server routes for any privileged writes
+
+- Direct writes to protected tables from client code are not allowed.
+- All privileged writes must go through server-side route handlers.
+- Server routes must:
+  - Validate input (e.g. zod)
+  - Rate limit
+  - Authenticate via `Authorization: Bearer <JWT>` or session cookie
+  - Use privileged credentials for DB writes
+
+### Option B: Anonymous activity is local-only
+
+- Anonymous activity must remain local until login.
+- Cloud state for user data is **authenticated-only**:
+  - User lists and collections
+  - Recently viewed items
+  - Progress tracking
+  - Any user-specific data
+
+## Database Hardening Rules
+
+- **Protected tables**
+  - Admin tables, user tokens, user data tables, and any sensitive business data.
+
+- **Access control and grants**
+  - Admin tables are accessible only via privileged server-side credentials.
+  - Public tables allow read-only access where appropriate.
+  - Table writes are server-side only (via server endpoints).
+
+- **Function grants + hardening**
+  - Sensitive database functions are restricted to privileged roles only.
+  - Functions with elevated privileges must have a fixed, safe execution context.
+
+## Incident Response (If a key is exposed)
+
+1. Rotate impacted keys immediately.
+2. Audit access control policies and function grants.
+3. Review logs for unusual access patterns.
+4. Add a regression test/checklist entry to prevent recurrence.