secure-repo 1.0.9 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/bin/cli.js +96 -5
- package/package.json +1 -1
package/bin/cli.js
CHANGED
|
@@ -273,6 +273,87 @@ function installFromZip(zipPath, outputDir, force) {
|
|
|
273
273
|
}
|
|
274
274
|
}
|
|
275
275
|
|
|
276
|
+
// ============================================================
|
|
277
|
+
// Agent instruction files — tell AI agents to read policy files
|
|
278
|
+
// ============================================================
|
|
279
|
+
const AGENT_INSTRUCTION = `# Security Policies — MUST READ
|
|
280
|
+
|
|
281
|
+
This project uses ShipSecure security policies. Before writing or modifying code, you MUST read and follow every policy file that exists in this repository.
|
|
282
|
+
|
|
283
|
+
## Policy Files
|
|
284
|
+
|
|
285
|
+
Read each of these files if they exist before making changes:
|
|
286
|
+
|
|
287
|
+
### Core
|
|
288
|
+
- SECURITY.md — Secrets management, attack surface, enforced architecture
|
|
289
|
+
- AUTH.md — Token handling, session rules, password policy, roles
|
|
290
|
+
- API.md — Input validation, rate limiting, error handling
|
|
291
|
+
|
|
292
|
+
### Extended
|
|
293
|
+
- DATABASE.md — Query safety, access control, migrations
|
|
294
|
+
- ENV_VARIABLES.md — Environment variable handling, secret rotation
|
|
295
|
+
- DEPLOYMENT.md — Deploy pipeline, environment isolation
|
|
296
|
+
- INCIDENT_RESPONSE.md — Breach response, escalation procedures
|
|
297
|
+
- ACCESS_CONTROL.md — Role-based access, permission boundaries
|
|
298
|
+
- DATA_PRIVACY.md — PII handling, data retention, GDPR compliance
|
|
299
|
+
- PAYMENTS.md — Payment processing, PCI compliance
|
|
300
|
+
- FILE_UPLOADS.md — Upload validation, storage security
|
|
301
|
+
- RATE_LIMITING.md — Throttling, abuse prevention
|
|
302
|
+
- THIRD_PARTY.md — Dependency security, vendor risk
|
|
303
|
+
- LOGGING_PII.md — Log sanitization, PII redaction
|
|
304
|
+
- TESTING.md — Security test requirements
|
|
305
|
+
- OBSERVABILITY.md — Monitoring, alerting, audit trails
|
|
306
|
+
- THREAT_MODEL.md — Known threats and mitigations
|
|
307
|
+
- PR_CHECKLIST.md — Pre-merge security checklist
|
|
308
|
+
- CONTRIBUTING_SECURITY.md — Security contribution guidelines
|
|
309
|
+
- VULNERABILITY_REPORTING.md — Responsible disclosure process
|
|
310
|
+
- POLICY_INDEX.md — Index of all policies
|
|
311
|
+
- FULL_AUDIT_CHECKLIST.md — 100+ point security audit checklist
|
|
312
|
+
|
|
313
|
+
### Stack Presets
|
|
314
|
+
- supabase-preset/ — Supabase-specific security rules (if present)
|
|
315
|
+
- firebase-preset/ — Firebase-specific security rules (if present)
|
|
316
|
+
|
|
317
|
+
## Rules
|
|
318
|
+
|
|
319
|
+
1. Always check policy files before writing code — if your task touches auth, APIs, database, payments, file uploads, or any area with a policy file, read that file first.
|
|
320
|
+
2. Never violate a policy — if a policy says "never do X", do not do X. Flag it if unsure.
|
|
321
|
+
3. Secrets are never hardcoded — no API keys, tokens, passwords, or credentials in source code.
|
|
322
|
+
4. Validate all input — every endpoint, every form, every external data source.
|
|
323
|
+
5. Follow the principle of least privilege — only request the permissions you need.
|
|
324
|
+
`;
|
|
325
|
+
|
|
326
|
+
function writeAgentFiles(outputDir, force) {
|
|
327
|
+
const agentFiles = [
|
|
328
|
+
{ path: "CLAUDE.md", name: "Claude" },
|
|
329
|
+
{ path: ".cursorrules", name: "Cursor" },
|
|
330
|
+
{ path: ".github/copilot-instructions.md", name: "GitHub Copilot" },
|
|
331
|
+
{ path: ".windsurfrules", name: "Windsurf" },
|
|
332
|
+
{ path: ".clinerules", name: "Cline" },
|
|
333
|
+
];
|
|
334
|
+
|
|
335
|
+
let written = 0;
|
|
336
|
+
let skipped = 0;
|
|
337
|
+
|
|
338
|
+
console.log("\n Agent instructions:");
|
|
339
|
+
agentFiles.forEach(({ path: filePath, name }) => {
|
|
340
|
+
const fullPath = path.join(outputDir, filePath);
|
|
341
|
+
const dir = path.dirname(fullPath);
|
|
342
|
+
if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
|
|
343
|
+
|
|
344
|
+
if (fs.existsSync(fullPath) && !force) {
|
|
345
|
+
console.log(` [skip] ${filePath} (${name}) — use --force to overwrite`);
|
|
346
|
+
skipped++;
|
|
347
|
+
} else {
|
|
348
|
+
fs.writeFileSync(fullPath, AGENT_INSTRUCTION);
|
|
349
|
+
console.log(` [done] ${filePath} (${name})`);
|
|
350
|
+
written++;
|
|
351
|
+
}
|
|
352
|
+
});
|
|
353
|
+
|
|
354
|
+
return { written, skipped };
|
|
355
|
+
}
|
|
356
|
+
|
|
276
357
|
// ============================================================
|
|
277
358
|
// INIT — install templates (free, or free + pro with --key)
|
|
278
359
|
// ============================================================
|
|
@@ -307,8 +388,11 @@ async function init() {
|
|
|
307
388
|
await downloadProZip(zipPath, licenseKey);
|
|
308
389
|
const proResult = installFromZip(zipPath, outputDir, force);
|
|
309
390
|
|
|
310
|
-
|
|
311
|
-
const
|
|
391
|
+
// Write agent instruction files
|
|
392
|
+
const agentResult = writeAgentFiles(outputDir, force);
|
|
393
|
+
|
|
394
|
+
const totalCopied = freeResult.copied + proResult.copied + agentResult.written;
|
|
395
|
+
const totalSkipped = freeResult.skipped + proResult.skipped + agentResult.skipped;
|
|
312
396
|
|
|
313
397
|
console.log(`\n Done! ${totalCopied} files installed, ${totalSkipped} skipped.`);
|
|
314
398
|
console.log("\n Next steps:");
|
|
@@ -330,7 +414,13 @@ async function init() {
|
|
|
330
414
|
console.log(" Free templates:");
|
|
331
415
|
const result = copyFiles(FREE_DIR, outputDir, force);
|
|
332
416
|
|
|
333
|
-
|
|
417
|
+
// Write agent instruction files
|
|
418
|
+
const agentResult = writeAgentFiles(outputDir, force);
|
|
419
|
+
|
|
420
|
+
const totalCopied = result.copied + agentResult.written;
|
|
421
|
+
const totalSkipped = result.skipped + agentResult.skipped;
|
|
422
|
+
|
|
423
|
+
console.log(`\n Done! ${totalCopied} files added, ${totalSkipped} skipped.`);
|
|
334
424
|
console.log("\n Next steps:");
|
|
335
425
|
console.log(" 1. Customize the templates for your project");
|
|
336
426
|
console.log(" 2. Run: npx secure-repo audit");
|
|
@@ -374,9 +464,10 @@ function importPack() {
|
|
|
374
464
|
|
|
375
465
|
try {
|
|
376
466
|
const proResult = installFromZip(resolvedPath, outputDir, force);
|
|
467
|
+
const agentResult = writeAgentFiles(outputDir, force);
|
|
377
468
|
|
|
378
|
-
const totalCopied = freeResult.copied + proResult.copied;
|
|
379
|
-
const totalSkipped = freeResult.skipped + proResult.skipped;
|
|
469
|
+
const totalCopied = freeResult.copied + proResult.copied + agentResult.written;
|
|
470
|
+
const totalSkipped = freeResult.skipped + proResult.skipped + agentResult.skipped;
|
|
380
471
|
|
|
381
472
|
console.log(`\n Done! ${totalCopied} files imported, ${totalSkipped} skipped.\n`);
|
|
382
473
|
} catch (err) {
|
package/package.json
CHANGED