secure-repo 1.1.0 → 1.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/bin/cli.js +40 -5
- package/package.json +1 -1
- package/templates/free/ACCESSIBILITY.md +99 -0
package/bin/cli.js
CHANGED
|
@@ -21,6 +21,7 @@ const RECOMMENDED_FILES = [
|
|
|
21
21
|
{ file: "SECURITY.md", category: "security", severity: "high" },
|
|
22
22
|
{ file: "AUTH.md", category: "security", severity: "high" },
|
|
23
23
|
{ file: "API.md", category: "security", severity: "high" },
|
|
24
|
+
{ file: "ACCESSIBILITY.md", category: "accessibility", severity: "medium" },
|
|
24
25
|
{ file: "DATABASE.md", category: "security", severity: "medium" },
|
|
25
26
|
{ file: "DEPLOYMENT.md", category: "operations", severity: "medium" },
|
|
26
27
|
{ file: "INCIDENT_RESPONSE.md", category: "operations", severity: "medium" },
|
|
@@ -56,9 +57,10 @@ function printHelp() {
|
|
|
56
57
|
--output Output directory (default: current directory)
|
|
57
58
|
|
|
58
59
|
Free templates (always included):
|
|
59
|
-
SECURITY.md
|
|
60
|
-
AUTH.md
|
|
61
|
-
API.md
|
|
60
|
+
SECURITY.md Secrets management, attack surface, enforced architecture
|
|
61
|
+
AUTH.md Token handling, session rules, password policy, roles
|
|
62
|
+
API.md Input validation, rate limiting, error handling
|
|
63
|
+
ACCESSIBILITY.md WCAG compliance, semantic HTML, keyboard nav, screen readers
|
|
62
64
|
|
|
63
65
|
Pro templates (purchase at https://buy.polar.sh/polar_cl_q7Wa3Gcng42437OoTx4wHVNyMMyYv0WbtobUv145EZH):
|
|
64
66
|
30 additional files — templates, audit checklist, stack presets, examples
|
|
@@ -288,6 +290,7 @@ Read each of these files if they exist before making changes:
|
|
|
288
290
|
- SECURITY.md — Secrets management, attack surface, enforced architecture
|
|
289
291
|
- AUTH.md — Token handling, session rules, password policy, roles
|
|
290
292
|
- API.md — Input validation, rate limiting, error handling
|
|
293
|
+
- ACCESSIBILITY.md — WCAG compliance, semantic HTML, keyboard navigation, screen readers
|
|
291
294
|
|
|
292
295
|
### Extended
|
|
293
296
|
- DATABASE.md — Query safety, access control, migrations
|
|
@@ -479,6 +482,29 @@ function importPack() {
|
|
|
479
482
|
// ============================================================
|
|
480
483
|
// AUDIT — scan repo for security issues (the viral command)
|
|
481
484
|
// ============================================================
|
|
485
|
+
function checkForUpdate() {
|
|
486
|
+
return new Promise((resolve) => {
|
|
487
|
+
const timeout = setTimeout(() => resolve(null), 3000);
|
|
488
|
+
https.get("https://registry.npmjs.org/secure-repo/latest", (res) => {
|
|
489
|
+
let data = "";
|
|
490
|
+
res.on("data", (chunk) => (data += chunk));
|
|
491
|
+
res.on("end", () => {
|
|
492
|
+
clearTimeout(timeout);
|
|
493
|
+
try {
|
|
494
|
+
const latest = JSON.parse(data).version;
|
|
495
|
+
const pkg = require("../package.json");
|
|
496
|
+
resolve(latest !== pkg.version ? latest : null);
|
|
497
|
+
} catch {
|
|
498
|
+
resolve(null);
|
|
499
|
+
}
|
|
500
|
+
});
|
|
501
|
+
}).on("error", () => {
|
|
502
|
+
clearTimeout(timeout);
|
|
503
|
+
resolve(null);
|
|
504
|
+
});
|
|
505
|
+
});
|
|
506
|
+
}
|
|
507
|
+
|
|
482
508
|
function audit() {
|
|
483
509
|
const targetDir = getArg("--output") || process.cwd();
|
|
484
510
|
|
|
@@ -493,7 +519,7 @@ function audit() {
|
|
|
493
519
|
// Score weights (total = 100)
|
|
494
520
|
const SCORE_WEIGHTS = {
|
|
495
521
|
policyHigh: 10, // 4 high-severity files × 10 = 40
|
|
496
|
-
policyMedium: 5, //
|
|
522
|
+
policyMedium: 5, // 4 medium-severity files × 5 = 20
|
|
497
523
|
gitignoreEnv: 10, // .env in .gitignore
|
|
498
524
|
noEnvFiles: 10, // no committed .env files
|
|
499
525
|
envExample: 5, // .env.example exists
|
|
@@ -661,7 +687,16 @@ function audit() {
|
|
|
661
687
|
console.log(" Run: npx secure-repo upgrade");
|
|
662
688
|
}
|
|
663
689
|
|
|
664
|
-
|
|
690
|
+
// Check for newer version (non-blocking)
|
|
691
|
+
checkForUpdate().then((latest) => {
|
|
692
|
+
if (latest) {
|
|
693
|
+
console.log(`\n Update available: v${latest} (you have v${require("../package.json").version})`);
|
|
694
|
+
console.log(" Run: npx secure-repo@latest init\n");
|
|
695
|
+
} else {
|
|
696
|
+
console.log();
|
|
697
|
+
}
|
|
698
|
+
});
|
|
699
|
+
|
|
665
700
|
return issues;
|
|
666
701
|
}
|
|
667
702
|
|
package/package.json
CHANGED
|
@@ -0,0 +1,99 @@
|
|
|
1
|
+
# Accessibility Policy
|
|
2
|
+
|
|
3
|
+
This repository must meet WCAG 2.1 Level AA standards. Treat accessibility requirements as **non-optional**.
|
|
4
|
+
|
|
5
|
+
## Agent Rules (MUST FOLLOW)
|
|
6
|
+
|
|
7
|
+
- **Semantic HTML first**
|
|
8
|
+
- Use `<button>` for actions, `<a>` for navigation, `<nav>`, `<main>`, `<header>`, `<footer>`, `<section>`, `<article>` for structure.
|
|
9
|
+
- Never use `<div>` or `<span>` for interactive elements. If it's clickable, it must be a `<button>` or `<a>`.
|
|
10
|
+
- Use heading hierarchy (`h1` > `h2` > `h3`) — never skip levels.
|
|
11
|
+
|
|
12
|
+
- **All images must have alt text**
|
|
13
|
+
- Informative images: describe the content (`alt="Bar chart showing 40% growth in Q3"`).
|
|
14
|
+
- Decorative images: use empty alt (`alt=""`) or CSS background.
|
|
15
|
+
- Never use `alt="image"`, `alt="photo"`, or `alt="icon"`.
|
|
16
|
+
|
|
17
|
+
- **All form inputs must have labels**
|
|
18
|
+
- Use `<label htmlFor="id">` or `aria-label` / `aria-labelledby`.
|
|
19
|
+
- Never use placeholder text as the only label.
|
|
20
|
+
- Error messages must be associated with their input via `aria-describedby`.
|
|
21
|
+
|
|
22
|
+
- **Keyboard navigation is mandatory**
|
|
23
|
+
- Every interactive element must be reachable and operable with keyboard only (Tab, Enter, Escape, Arrow keys).
|
|
24
|
+
- Focus order must follow visual reading order.
|
|
25
|
+
- Never remove `:focus` or `:focus-visible` outlines without providing a visible alternative.
|
|
26
|
+
- Modal dialogs must trap focus and return focus on close.
|
|
27
|
+
|
|
28
|
+
- **Color is never the only indicator**
|
|
29
|
+
- Error states, status indicators, and required fields must use text, icons, or patterns in addition to color.
|
|
30
|
+
- Maintain minimum contrast ratios:
|
|
31
|
+
- Normal text: 4.5:1 against background.
|
|
32
|
+
- Large text (18px+ bold or 24px+): 3:1 against background.
|
|
33
|
+
- UI components and icons: 3:1 against adjacent colors.
|
|
34
|
+
|
|
35
|
+
- **Font sizes and readability**
|
|
36
|
+
- Minimum body text: 16px (1rem). Never go below 14px for any readable text.
|
|
37
|
+
- Use relative units (`rem`, `em`) not fixed `px` for font sizes — allows user browser zoom and font size preferences.
|
|
38
|
+
- Line height: minimum 1.5 for body text, 1.2 for headings.
|
|
39
|
+
- Paragraph max-width: 65–75 characters for comfortable reading.
|
|
40
|
+
- Never disable user text scaling — do not set `maximum-scale=1` in viewport meta.
|
|
41
|
+
- Touch targets: minimum 44x44px for buttons and links on mobile.
|
|
42
|
+
|
|
43
|
+
- **ARIA usage**
|
|
44
|
+
- Prefer native HTML elements over ARIA. ARIA is a last resort, not a first choice.
|
|
45
|
+
- If you use ARIA: `aria-label`, `aria-labelledby`, `aria-describedby`, `aria-live`, `aria-expanded`, `aria-hidden`.
|
|
46
|
+
- Never use `aria-hidden="true"` on focusable elements.
|
|
47
|
+
- Dynamic content updates must use `aria-live="polite"` or `aria-live="assertive"`.
|
|
48
|
+
|
|
49
|
+
- **Motion and animation**
|
|
50
|
+
- Respect `prefers-reduced-motion`. Wrap animations in `@media (prefers-reduced-motion: no-preference)`.
|
|
51
|
+
- Never auto-play video or audio without user consent.
|
|
52
|
+
- Avoid flashing content (no more than 3 flashes per second).
|
|
53
|
+
|
|
54
|
+
## Required Checks Before Merge
|
|
55
|
+
|
|
56
|
+
- **Keyboard test**
|
|
57
|
+
- Tab through every interactive element on the page.
|
|
58
|
+
- Verify focus is visible, logical, and never trapped (except in modals).
|
|
59
|
+
|
|
60
|
+
- **Screen reader test**
|
|
61
|
+
- Headings, landmarks, form labels, and alt text must be announced correctly.
|
|
62
|
+
- Dynamic updates (toasts, errors, loading states) must be announced via `aria-live`.
|
|
63
|
+
|
|
64
|
+
- **Color contrast check**
|
|
65
|
+
- Run a contrast checker on all text and interactive elements.
|
|
66
|
+
- Verify no information is conveyed by color alone.
|
|
67
|
+
|
|
68
|
+
- **Zoom test**
|
|
69
|
+
- Page must be usable at 200% browser zoom with no content loss or overlap.
|
|
70
|
+
|
|
71
|
+
## Patterns To Use
|
|
72
|
+
|
|
73
|
+
- **Skip navigation link**
|
|
74
|
+
- Add a "Skip to main content" link as the first focusable element.
|
|
75
|
+
- `<a href="#main" className="sr-only focus:not-sr-only">Skip to main content</a>`
|
|
76
|
+
|
|
77
|
+
- **Loading states**
|
|
78
|
+
- Use `aria-busy="true"` on containers that are loading.
|
|
79
|
+
- Announce completion with `aria-live="polite"`.
|
|
80
|
+
|
|
81
|
+
- **Error handling in forms**
|
|
82
|
+
- Show error summary at the top of the form.
|
|
83
|
+
- Link each error to its field with `aria-describedby`.
|
|
84
|
+
- Move focus to the first error field or the error summary.
|
|
85
|
+
|
|
86
|
+
- **Icon buttons**
|
|
87
|
+
- Every icon-only button must have `aria-label`.
|
|
88
|
+
- Example: `<button aria-label="Close dialog"><XIcon /></button>`
|
|
89
|
+
|
|
90
|
+
- **Tables**
|
|
91
|
+
- Use `<th scope="col">` for column headers and `<th scope="row">` for row headers.
|
|
92
|
+
- Use `<caption>` to describe the table's purpose.
|
|
93
|
+
|
|
94
|
+
## Testing Tools
|
|
95
|
+
|
|
96
|
+
- axe DevTools (browser extension)
|
|
97
|
+
- Lighthouse accessibility audit
|
|
98
|
+
- VoiceOver (macOS) / NVDA (Windows) for screen reader testing
|
|
99
|
+
- `prefers-reduced-motion` emulation in DevTools
|