npm - secure-repo - Versions diffs - 1.2.0 → 1.3.0 - Mend

secure-repo 1.2.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -93,7 +93,7 @@ Every template is:
 ## What You Get (Free)
-Three templates that cover the foundations:
+Four templates that cover the foundations:
 **SECURITY.md** — No secrets in code. Privileged keys server-side only. Database access control mandatory. Server endpoints for all writes. Incident response steps.
@@ -101,6 +101,8 @@ Three templates that cover the foundations:
 **API.md** — Input validation on every endpoint. Rate limiting on all public routes. Error responses that don't leak internals. Endpoint conventions. CORS rules. Pagination enforcement.
+**ACCESSIBILITY.md** — WCAG 2.1 AA compliance. Semantic HTML. Keyboard navigation. Screen reader support. Color contrast. Font sizes. Touch targets.
 Each file includes:
 - Rules marked "MUST FOLLOW"
 - Code patterns to copy
@@ -181,12 +183,12 @@ npx secure-repo list              # Show all available templates
 | | Free | Pro Pack |
 |--|------|---------|
 | Security audit command | Included | Included |
-| Core security policies (3 files) | Included | Included |
+| Core security policies (4 files) | Included | Included |
 | Deep engineering standards (18 files) | - | Included |
 | 100+ point audit checklist | - | Included |
 | Stack presets (Supabase, Firebase) | - | Included |
 | Code examples (5 files) | - | Included |
-| **Total policy files** | **3** | **30** |
+| **Total policy files** | **4** | **31** |
 ---

package/bin/cli.js CHANGED Viewed

@@ -213,6 +213,31 @@ function downloadProZip(destPath, licenseKey) {
   });
 }
+// ============================================================
+// Detect stack from package.json dependencies
+// ============================================================
+function detectStacks(projectDir) {
+  const pkgPath = path.join(projectDir, "package.json");
+  if (!fs.existsSync(pkgPath)) return [];
+  try {
+    const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf8"));
+    const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+    const stacks = [];
+    if (allDeps["@supabase/supabase-js"] || allDeps["@supabase/ssr"] || allDeps["@supabase/auth-helpers-nextjs"]) {
+      stacks.push("supabase");
+    }
+    if (allDeps["firebase"] || allDeps["firebase-admin"] || allDeps["firebase-functions"]) {
+      stacks.push("firebase");
+    }
+    return stacks;
+  } catch {
+    return [];
+  }
+}
 // ============================================================
 // Extract zip and install pro templates
 // ============================================================
@@ -244,13 +269,18 @@ function installFromZip(zipPath, outputDir, force) {
       totalSkipped += r.skipped;
     }
-    // Copy presets
+    // Copy presets — only install presets matching detected stack
     const presetsDir = path.join(tempDir, "presets");
     if (fs.existsSync(presetsDir)) {
+      const detectedStacks = detectStacks(outputDir);
       const presets = fs.readdirSync(presetsDir).filter((f) =>
         fs.statSync(path.join(presetsDir, f)).isDirectory()
       );
       presets.forEach((preset) => {
+        if (detectedStacks.length > 0 && !detectedStacks.includes(preset)) {
+          console.log(`\n  Preset: ${preset} (skipped — not detected in package.json)`);
+          return;
+        }
         const presetDest = path.join(outputDir, `${preset}-preset`);
         console.log(`\n  Preset: ${preset} (-> ${preset}-preset/)`);
         const r = copyFiles(path.join(presetsDir, preset), presetDest, force);
@@ -344,9 +374,20 @@ function writeAgentFiles(outputDir, force) {
     const dir = path.dirname(fullPath);
     if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
-    if (fs.existsSync(fullPath) && !force) {
-      console.log(`    [skip] ${filePath} (${name}) — use --force to overwrite`);
-      skipped++;
+    if (fs.existsSync(fullPath)) {
+      const existing = fs.readFileSync(fullPath, "utf8");
+      const isShipSecureBoilerplate = existing.includes("# Security Policies — MUST READ") && existing.includes("ShipSecure");
+      if (isShipSecureBoilerplate && force) {
+        fs.writeFileSync(fullPath, AGENT_INSTRUCTION);
+        console.log(`    [done] ${filePath} (${name})`);
+        written++;
+      } else if (isShipSecureBoilerplate) {
+        console.log(`    [skip] ${filePath} (${name}) — use --force to overwrite`);
+        skipped++;
+      } else {
+        console.log(`    [skip] ${filePath} (${name}) — existing content detected, won't overwrite`);
+        skipped++;
+      }
     } else {
       fs.writeFileSync(fullPath, AGENT_INSTRUCTION);
       console.log(`    [done] ${filePath} (${name})`);
@@ -482,6 +523,29 @@ function importPack() {
 // ============================================================
 // AUDIT — scan repo for security issues (the viral command)
 // ============================================================
+function checkForUpdate() {
+  return new Promise((resolve) => {
+    const timeout = setTimeout(() => resolve(null), 3000);
+    https.get("https://registry.npmjs.org/secure-repo/latest", (res) => {
+      let data = "";
+      res.on("data", (chunk) => (data += chunk));
+      res.on("end", () => {
+        clearTimeout(timeout);
+        try {
+          const latest = JSON.parse(data).version;
+          const pkg = require("../package.json");
+          resolve(latest !== pkg.version ? latest : null);
+        } catch {
+          resolve(null);
+        }
+      });
+    }).on("error", () => {
+      clearTimeout(timeout);
+      resolve(null);
+    });
+  });
+}
 function audit() {
   const targetDir = getArg("--output") || process.cwd();
@@ -496,7 +560,7 @@ function audit() {
   // Score weights (total = 100)
   const SCORE_WEIGHTS = {
     policyHigh: 10,    // 4 high-severity files × 10 = 40
-    policyMedium: 5,   // 3 medium-severity files × 5 = 15
+    policyMedium: 5,   // 4 medium-severity files × 5 = 20
     gitignoreEnv: 10,  // .env in .gitignore
     noEnvFiles: 10,    // no committed .env files
     envExample: 5,     // .env.example exists
@@ -546,9 +610,22 @@ function audit() {
   envFiles.forEach((envFile) => {
     const envPath = path.join(targetDir, envFile);
     if (fs.existsSync(envPath)) {
-      console.log(`    [FAIL] ${envFile} exists in repo — may contain secrets`);
-      issues++;
-      envFilesFound++;
+      // Check if file is git-ignored before flagging
+      let isIgnored = false;
+      try {
+        execSync(`git check-ignore -q "${envPath}"`, { stdio: "pipe" });
+        isIgnored = true;
+      } catch {
+        // exit code 1 = not ignored
+      }
+      if (isIgnored) {
+        console.log(`    [pass] ${envFile} exists but is gitignored`);
+        passed++;
+      } else {
+        console.log(`    [FAIL] ${envFile} exists and is NOT gitignored — may contain secrets`);
+        issues++;
+        envFilesFound++;
+      }
     }
   });
   if (envFilesFound === 0) {
@@ -664,7 +741,16 @@ function audit() {
     console.log("  Run: npx secure-repo upgrade");
   }
-  console.log();
+  // Check for newer version (non-blocking)
+  checkForUpdate().then((latest) => {
+    if (latest) {
+      console.log(`\n  Update available: v${latest} (you have v${require("../package.json").version})`);
+      console.log("  Run: npx secure-repo@latest init\n");
+    } else {
+      console.log();
+    }
+  });
   return issues;
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "secure-repo",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Drop production-grade security standards into any repo. Audit your repo for security issues. Templates for AI-assisted development.",
   "bin": {
     "secure-repo": "./bin/cli.js"