secure-repo 1.0.9 → 1.2.0

package/bin/cli.js

@@ -21,6 +21,7 @@ const RECOMMENDED_FILES = [
   { file: "SECURITY.md", category: "security", severity: "high" },
   { file: "AUTH.md", category: "security", severity: "high" },
   { file: "API.md", category: "security", severity: "high" },
+  { file: "ACCESSIBILITY.md", category: "accessibility", severity: "medium" },
   { file: "DATABASE.md", category: "security", severity: "medium" },
   { file: "DEPLOYMENT.md", category: "operations", severity: "medium" },
   { file: "INCIDENT_RESPONSE.md", category: "operations", severity: "medium" },
@@ -56,9 +57,10 @@ function printHelp() {
     --output   Output directory (default: current directory)
 
   Free templates (always included):
-    SECURITY.md   Secrets management, attack surface, enforced architecture
-    AUTH.md        Token handling, session rules, password policy, roles
-    API.md         Input validation, rate limiting, error handling
+    SECURITY.md       Secrets management, attack surface, enforced architecture
+    AUTH.md            Token handling, session rules, password policy, roles
+    API.md             Input validation, rate limiting, error handling
+    ACCESSIBILITY.md   WCAG compliance, semantic HTML, keyboard nav, screen readers
 
   Pro templates (purchase at https://buy.polar.sh/polar_cl_q7Wa3Gcng42437OoTx4wHVNyMMyYv0WbtobUv145EZH):
     30 additional files — templates, audit checklist, stack presets, examples
@@ -273,6 +275,88 @@ function installFromZip(zipPath, outputDir, force) {
   }
 }
 
+// ============================================================
+// Agent instruction files — tell AI agents to read policy files
+// ============================================================
+const AGENT_INSTRUCTION = `# Security Policies — MUST READ
+
+This project uses ShipSecure security policies. Before writing or modifying code, you MUST read and follow every policy file that exists in this repository.
+
+## Policy Files
+
+Read each of these files if they exist before making changes:
+
+### Core
+- SECURITY.md — Secrets management, attack surface, enforced architecture
+- AUTH.md — Token handling, session rules, password policy, roles
+- API.md — Input validation, rate limiting, error handling
+- ACCESSIBILITY.md — WCAG compliance, semantic HTML, keyboard navigation, screen readers
+
+### Extended
+- DATABASE.md — Query safety, access control, migrations
+- ENV_VARIABLES.md — Environment variable handling, secret rotation
+- DEPLOYMENT.md — Deploy pipeline, environment isolation
+- INCIDENT_RESPONSE.md — Breach response, escalation procedures
+- ACCESS_CONTROL.md — Role-based access, permission boundaries
+- DATA_PRIVACY.md — PII handling, data retention, GDPR compliance
+- PAYMENTS.md — Payment processing, PCI compliance
+- FILE_UPLOADS.md — Upload validation, storage security
+- RATE_LIMITING.md — Throttling, abuse prevention
+- THIRD_PARTY.md — Dependency security, vendor risk
+- LOGGING_PII.md — Log sanitization, PII redaction
+- TESTING.md — Security test requirements
+- OBSERVABILITY.md — Monitoring, alerting, audit trails
+- THREAT_MODEL.md — Known threats and mitigations
+- PR_CHECKLIST.md — Pre-merge security checklist
+- CONTRIBUTING_SECURITY.md — Security contribution guidelines
+- VULNERABILITY_REPORTING.md — Responsible disclosure process
+- POLICY_INDEX.md — Index of all policies
+- FULL_AUDIT_CHECKLIST.md — 100+ point security audit checklist
+
+### Stack Presets
+- supabase-preset/ — Supabase-specific security rules (if present)
+- firebase-preset/ — Firebase-specific security rules (if present)
+
+## Rules
+
+1. Always check policy files before writing code — if your task touches auth, APIs, database, payments, file uploads, or any area with a policy file, read that file first.
+2. Never violate a policy — if a policy says "never do X", do not do X. Flag it if unsure.
+3. Secrets are never hardcoded — no API keys, tokens, passwords, or credentials in source code.
+4. Validate all input — every endpoint, every form, every external data source.
+5. Follow the principle of least privilege — only request the permissions you need.
+`;
+
+function writeAgentFiles(outputDir, force) {
+  const agentFiles = [
+    { path: "CLAUDE.md", name: "Claude" },
+    { path: ".cursorrules", name: "Cursor" },
+    { path: ".github/copilot-instructions.md", name: "GitHub Copilot" },
+    { path: ".windsurfrules", name: "Windsurf" },
+    { path: ".clinerules", name: "Cline" },
+  ];
+
+  let written = 0;
+  let skipped = 0;
+
+  console.log("\n  Agent instructions:");
+  agentFiles.forEach(({ path: filePath, name }) => {
+    const fullPath = path.join(outputDir, filePath);
+    const dir = path.dirname(fullPath);
+    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+
+    if (fs.existsSync(fullPath) && !force) {
+      console.log(`    [skip] ${filePath} (${name}) — use --force to overwrite`);
+      skipped++;
+    } else {
+      fs.writeFileSync(fullPath, AGENT_INSTRUCTION);
+      console.log(`    [done] ${filePath} (${name})`);
+      written++;
+    }
+  });
+
+  return { written, skipped };
+}
+
 // ============================================================
 // INIT — install templates (free, or free + pro with --key)
 // ============================================================
@@ -307,8 +391,11 @@ async function init() {
       await downloadProZip(zipPath, licenseKey);
       const proResult = installFromZip(zipPath, outputDir, force);
 
-      const totalCopied = freeResult.copied + proResult.copied;
-      const totalSkipped = freeResult.skipped + proResult.skipped;
+      // Write agent instruction files
+      const agentResult = writeAgentFiles(outputDir, force);
+
+      const totalCopied = freeResult.copied + proResult.copied + agentResult.written;
+      const totalSkipped = freeResult.skipped + proResult.skipped + agentResult.skipped;
 
       console.log(`\n  Done! ${totalCopied} files installed, ${totalSkipped} skipped.`);
       console.log("\n  Next steps:");
@@ -330,7 +417,13 @@ async function init() {
     console.log("  Free templates:");
     const result = copyFiles(FREE_DIR, outputDir, force);
 
-    console.log(`\n  Done! ${result.copied} files added, ${result.skipped} skipped.`);
+    // Write agent instruction files
+    const agentResult = writeAgentFiles(outputDir, force);
+
+    const totalCopied = result.copied + agentResult.written;
+    const totalSkipped = result.skipped + agentResult.skipped;
+
+    console.log(`\n  Done! ${totalCopied} files added, ${totalSkipped} skipped.`);
     console.log("\n  Next steps:");
     console.log("    1. Customize the templates for your project");
     console.log("    2. Run: npx secure-repo audit");
@@ -374,9 +467,10 @@ function importPack() {
 
   try {
     const proResult = installFromZip(resolvedPath, outputDir, force);
+    const agentResult = writeAgentFiles(outputDir, force);
 
-    const totalCopied = freeResult.copied + proResult.copied;
-    const totalSkipped = freeResult.skipped + proResult.skipped;
+    const totalCopied = freeResult.copied + proResult.copied + agentResult.written;
+    const totalSkipped = freeResult.skipped + proResult.skipped + agentResult.skipped;
 
     console.log(`\n  Done! ${totalCopied} files imported, ${totalSkipped} skipped.\n`);
   } catch (err) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "secure-repo",
-  "version": "1.0.9",
+  "version": "1.2.0",
   "description": "Drop production-grade security standards into any repo. Audit your repo for security issues. Templates for AI-assisted development.",
   "bin": {
     "secure-repo": "./bin/cli.js"

package/templates/free/ACCESSIBILITY.md

@@ -0,0 +1,99 @@
+# Accessibility Policy
+
+This repository must meet WCAG 2.1 Level AA standards. Treat accessibility requirements as **non-optional**.
+
+## Agent Rules (MUST FOLLOW)
+
+- **Semantic HTML first**
+  - Use `<button>` for actions, `<a>` for navigation, `<nav>`, `<main>`, `<header>`, `<footer>`, `<section>`, `<article>` for structure.
+  - Never use `<div>` or `<span>` for interactive elements. If it's clickable, it must be a `<button>` or `<a>`.
+  - Use heading hierarchy (`h1` > `h2` > `h3`) — never skip levels.
+
+- **All images must have alt text**
+  - Informative images: describe the content (`alt="Bar chart showing 40% growth in Q3"`).
+  - Decorative images: use empty alt (`alt=""`) or CSS background.
+  - Never use `alt="image"`, `alt="photo"`, or `alt="icon"`.
+
+- **All form inputs must have labels**
+  - Use `<label htmlFor="id">` or `aria-label` / `aria-labelledby`.
+  - Never use placeholder text as the only label.
+  - Error messages must be associated with their input via `aria-describedby`.
+
+- **Keyboard navigation is mandatory**
+  - Every interactive element must be reachable and operable with keyboard only (Tab, Enter, Escape, Arrow keys).
+  - Focus order must follow visual reading order.
+  - Never remove `:focus` or `:focus-visible` outlines without providing a visible alternative.
+  - Modal dialogs must trap focus and return focus on close.
+
+- **Color is never the only indicator**
+  - Error states, status indicators, and required fields must use text, icons, or patterns in addition to color.
+  - Maintain minimum contrast ratios:
+    - Normal text: 4.5:1 against background.
+    - Large text (18px+ bold or 24px+): 3:1 against background.
+    - UI components and icons: 3:1 against adjacent colors.
+
+- **Font sizes and readability**
+  - Minimum body text: 16px (1rem). Never go below 14px for any readable text.
+  - Use relative units (`rem`, `em`) not fixed `px` for font sizes — allows user browser zoom and font size preferences.
+  - Line height: minimum 1.5 for body text, 1.2 for headings.
+  - Paragraph max-width: 65–75 characters for comfortable reading.
+  - Never disable user text scaling — do not set `maximum-scale=1` in viewport meta.
+  - Touch targets: minimum 44x44px for buttons and links on mobile.
+
+- **ARIA usage**
+  - Prefer native HTML elements over ARIA. ARIA is a last resort, not a first choice.
+  - If you use ARIA: `aria-label`, `aria-labelledby`, `aria-describedby`, `aria-live`, `aria-expanded`, `aria-hidden`.
+  - Never use `aria-hidden="true"` on focusable elements.
+  - Dynamic content updates must use `aria-live="polite"` or `aria-live="assertive"`.
+
+- **Motion and animation**
+  - Respect `prefers-reduced-motion`. Wrap animations in `@media (prefers-reduced-motion: no-preference)`.
+  - Never auto-play video or audio without user consent.
+  - Avoid flashing content (no more than 3 flashes per second).
+
+## Required Checks Before Merge
+
+- **Keyboard test**
+  - Tab through every interactive element on the page.
+  - Verify focus is visible, logical, and never trapped (except in modals).
+
+- **Screen reader test**
+  - Headings, landmarks, form labels, and alt text must be announced correctly.
+  - Dynamic updates (toasts, errors, loading states) must be announced via `aria-live`.
+
+- **Color contrast check**
+  - Run a contrast checker on all text and interactive elements.
+  - Verify no information is conveyed by color alone.
+
+- **Zoom test**
+  - Page must be usable at 200% browser zoom with no content loss or overlap.
+
+## Patterns To Use
+
+- **Skip navigation link**
+  - Add a "Skip to main content" link as the first focusable element.
+  - `<a href="#main" className="sr-only focus:not-sr-only">Skip to main content</a>`
+
+- **Loading states**
+  - Use `aria-busy="true"` on containers that are loading.
+  - Announce completion with `aria-live="polite"`.
+
+- **Error handling in forms**
+  - Show error summary at the top of the form.
+  - Link each error to its field with `aria-describedby`.
+  - Move focus to the first error field or the error summary.
+
+- **Icon buttons**
+  - Every icon-only button must have `aria-label`.
+  - Example: `<button aria-label="Close dialog"><XIcon /></button>`
+
+- **Tables**
+  - Use `<th scope="col">` for column headers and `<th scope="row">` for row headers.
+  - Use `<caption>` to describe the table's purpose.
+
+## Testing Tools
+
+- axe DevTools (browser extension)
+- Lighthouse accessibility audit
+- VoiceOver (macOS) / NVDA (Windows) for screen reader testing
+- `prefers-reduced-motion` emulation in DevTools