secure-repo 1.0.9 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/bin/cli.js +96 -5
  2. package/package.json +1 -1
package/bin/cli.js CHANGED
@@ -273,6 +273,87 @@ function installFromZip(zipPath, outputDir, force) {
273
273
  }
274
274
  }
275
275
 
276
+ // ============================================================
277
+ // Agent instruction files — tell AI agents to read policy files
278
+ // ============================================================
279
+ const AGENT_INSTRUCTION = `# Security Policies — MUST READ
280
+
281
+ This project uses ShipSecure security policies. Before writing or modifying code, you MUST read and follow every policy file that exists in this repository.
282
+
283
+ ## Policy Files
284
+
285
+ Read each of these files if they exist before making changes:
286
+
287
+ ### Core
288
+ - SECURITY.md — Secrets management, attack surface, enforced architecture
289
+ - AUTH.md — Token handling, session rules, password policy, roles
290
+ - API.md — Input validation, rate limiting, error handling
291
+
292
+ ### Extended
293
+ - DATABASE.md — Query safety, access control, migrations
294
+ - ENV_VARIABLES.md — Environment variable handling, secret rotation
295
+ - DEPLOYMENT.md — Deploy pipeline, environment isolation
296
+ - INCIDENT_RESPONSE.md — Breach response, escalation procedures
297
+ - ACCESS_CONTROL.md — Role-based access, permission boundaries
298
+ - DATA_PRIVACY.md — PII handling, data retention, GDPR compliance
299
+ - PAYMENTS.md — Payment processing, PCI compliance
300
+ - FILE_UPLOADS.md — Upload validation, storage security
301
+ - RATE_LIMITING.md — Throttling, abuse prevention
302
+ - THIRD_PARTY.md — Dependency security, vendor risk
303
+ - LOGGING_PII.md — Log sanitization, PII redaction
304
+ - TESTING.md — Security test requirements
305
+ - OBSERVABILITY.md — Monitoring, alerting, audit trails
306
+ - THREAT_MODEL.md — Known threats and mitigations
307
+ - PR_CHECKLIST.md — Pre-merge security checklist
308
+ - CONTRIBUTING_SECURITY.md — Security contribution guidelines
309
+ - VULNERABILITY_REPORTING.md — Responsible disclosure process
310
+ - POLICY_INDEX.md — Index of all policies
311
+ - FULL_AUDIT_CHECKLIST.md — 100+ point security audit checklist
312
+
313
+ ### Stack Presets
314
+ - supabase-preset/ — Supabase-specific security rules (if present)
315
+ - firebase-preset/ — Firebase-specific security rules (if present)
316
+
317
+ ## Rules
318
+
319
+ 1. Always check policy files before writing code — if your task touches auth, APIs, database, payments, file uploads, or any area with a policy file, read that file first.
320
+ 2. Never violate a policy — if a policy says "never do X", do not do X. Flag it if unsure.
321
+ 3. Secrets are never hardcoded — no API keys, tokens, passwords, or credentials in source code.
322
+ 4. Validate all input — every endpoint, every form, every external data source.
323
+ 5. Follow the principle of least privilege — only request the permissions you need.
324
+ `;
325
+
326
+ function writeAgentFiles(outputDir, force) {
327
+ const agentFiles = [
328
+ { path: "CLAUDE.md", name: "Claude" },
329
+ { path: ".cursorrules", name: "Cursor" },
330
+ { path: ".github/copilot-instructions.md", name: "GitHub Copilot" },
331
+ { path: ".windsurfrules", name: "Windsurf" },
332
+ { path: ".clinerules", name: "Cline" },
333
+ ];
334
+
335
+ let written = 0;
336
+ let skipped = 0;
337
+
338
+ console.log("\n Agent instructions:");
339
+ agentFiles.forEach(({ path: filePath, name }) => {
340
+ const fullPath = path.join(outputDir, filePath);
341
+ const dir = path.dirname(fullPath);
342
+ if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
343
+
344
+ if (fs.existsSync(fullPath) && !force) {
345
+ console.log(` [skip] ${filePath} (${name}) — use --force to overwrite`);
346
+ skipped++;
347
+ } else {
348
+ fs.writeFileSync(fullPath, AGENT_INSTRUCTION);
349
+ console.log(` [done] ${filePath} (${name})`);
350
+ written++;
351
+ }
352
+ });
353
+
354
+ return { written, skipped };
355
+ }
356
+
276
357
  // ============================================================
277
358
  // INIT — install templates (free, or free + pro with --key)
278
359
  // ============================================================
@@ -307,8 +388,11 @@ async function init() {
307
388
  await downloadProZip(zipPath, licenseKey);
308
389
  const proResult = installFromZip(zipPath, outputDir, force);
309
390
 
310
- const totalCopied = freeResult.copied + proResult.copied;
311
- const totalSkipped = freeResult.skipped + proResult.skipped;
391
+ // Write agent instruction files
392
+ const agentResult = writeAgentFiles(outputDir, force);
393
+
394
+ const totalCopied = freeResult.copied + proResult.copied + agentResult.written;
395
+ const totalSkipped = freeResult.skipped + proResult.skipped + agentResult.skipped;
312
396
 
313
397
  console.log(`\n Done! ${totalCopied} files installed, ${totalSkipped} skipped.`);
314
398
  console.log("\n Next steps:");
@@ -330,7 +414,13 @@ async function init() {
330
414
  console.log(" Free templates:");
331
415
  const result = copyFiles(FREE_DIR, outputDir, force);
332
416
 
333
- console.log(`\n Done! ${result.copied} files added, ${result.skipped} skipped.`);
417
+ // Write agent instruction files
418
+ const agentResult = writeAgentFiles(outputDir, force);
419
+
420
+ const totalCopied = result.copied + agentResult.written;
421
+ const totalSkipped = result.skipped + agentResult.skipped;
422
+
423
+ console.log(`\n Done! ${totalCopied} files added, ${totalSkipped} skipped.`);
334
424
  console.log("\n Next steps:");
335
425
  console.log(" 1. Customize the templates for your project");
336
426
  console.log(" 2. Run: npx secure-repo audit");
@@ -374,9 +464,10 @@ function importPack() {
374
464
 
375
465
  try {
376
466
  const proResult = installFromZip(resolvedPath, outputDir, force);
467
+ const agentResult = writeAgentFiles(outputDir, force);
377
468
 
378
- const totalCopied = freeResult.copied + proResult.copied;
379
- const totalSkipped = freeResult.skipped + proResult.skipped;
469
+ const totalCopied = freeResult.copied + proResult.copied + agentResult.written;
470
+ const totalSkipped = freeResult.skipped + proResult.skipped + agentResult.skipped;
380
471
 
381
472
  console.log(`\n Done! ${totalCopied} files imported, ${totalSkipped} skipped.\n`);
382
473
  } catch (err) {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "secure-repo",
3
- "version": "1.0.9",
3
+ "version": "1.1.0",
4
4
  "description": "Drop production-grade security standards into any repo. Audit your repo for security issues. Templates for AI-assisted development.",
5
5
  "bin": {
6
6
  "secure-repo": "./bin/cli.js"