ship-safe 1.0.0

package/cli/bin/ship-safe.js

@@ -0,0 +1,97 @@
+#!/usr/bin/env node
+
+/**
+ * Ship Safe CLI
+ * =============
+ *
+ * Security toolkit for vibe coders and indie hackers.
+ *
+ * USAGE:
+ *   npx ship-safe scan [path]      Scan for secrets in your codebase
+ *   npx ship-safe checklist        Run the launch-day security checklist
+ *   npx ship-safe init             Initialize security configs in your project
+ *   npx ship-safe --help           Show all commands
+ */
+
+import { program } from 'commander';
+import chalk from 'chalk';
+import { scanCommand } from '../commands/scan.js';
+import { checklistCommand } from '../commands/checklist.js';
+import { initCommand } from '../commands/init.js';
+
+// =============================================================================
+// CLI CONFIGURATION
+// =============================================================================
+
+const VERSION = '1.0.0';
+
+// Banner shown on help
+const banner = `
+${chalk.cyan('███████╗██╗  ██╗██╗██████╗     ███████╗ █████╗ ███████╗███████╗')}
+${chalk.cyan('██╔════╝██║  ██║██║██╔══██╗    ██╔════╝██╔══██╗██╔════╝██╔════╝')}
+${chalk.cyan('███████╗███████║██║██████╔╝    ███████╗███████║█████╗  █████╗  ')}
+${chalk.cyan('╚════██║██╔══██║██║██╔═══╝     ╚════██║██╔══██║██╔══╝  ██╔══╝  ')}
+${chalk.cyan('███████║██║  ██║██║██║         ███████║██║  ██║██║     ███████╗')}
+${chalk.cyan('╚══════╝╚═╝  ╚═╝╚═╝╚═╝         ╚══════╝╚═╝  ╚═╝╚═╝     ╚══════╝')}
+
+${chalk.gray('Security toolkit for vibe coders. Secure your MVP in 5 minutes.')}
+`;
+
+// =============================================================================
+// PROGRAM SETUP
+// =============================================================================
+
+program
+  .name('ship-safe')
+  .description('Security toolkit for vibe coders and indie hackers')
+  .version(VERSION)
+  .addHelpText('before', banner);
+
+// -----------------------------------------------------------------------------
+// SCAN COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('scan [path]')
+  .description('Scan your codebase for leaked secrets (API keys, passwords, etc.)')
+  .option('-v, --verbose', 'Show all files being scanned')
+  .option('--no-color', 'Disable colored output')
+  .option('--json', 'Output results as JSON (useful for CI)')
+  .action(scanCommand);
+
+// -----------------------------------------------------------------------------
+// CHECKLIST COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('checklist')
+  .description('Run through the launch-day security checklist interactively')
+  .option('--no-interactive', 'Print checklist without prompts')
+  .action(checklistCommand);
+
+// -----------------------------------------------------------------------------
+// INIT COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('init')
+  .description('Initialize security configs in your project')
+  .option('-f, --force', 'Overwrite existing files')
+  .option('--gitignore', 'Only copy .gitignore')
+  .option('--headers', 'Only copy security headers config')
+  .action(initCommand);
+
+// -----------------------------------------------------------------------------
+// PARSE AND RUN
+// -----------------------------------------------------------------------------
+
+// Show help if no command provided
+if (process.argv.length === 2) {
+  console.log(banner);
+  console.log(chalk.yellow('\nQuick start:\n'));
+  console.log(chalk.white('  npx ship-safe scan .        ') + chalk.gray('# Scan current directory for secrets'));
+  console.log(chalk.white('  npx ship-safe checklist     ') + chalk.gray('# Run security checklist'));
+  console.log(chalk.white('  npx ship-safe init          ') + chalk.gray('# Add security configs to your project'));
+  console.log(chalk.white('\n  npx ship-safe --help        ') + chalk.gray('# Show all options'));
+  console.log();
+  process.exit(0);
+}
+
+program.parse();

package/cli/commands/checklist.js

@@ -0,0 +1,223 @@
+/**
+ * Checklist Command
+ * =================
+ *
+ * Interactive launch-day security checklist.
+ *
+ * USAGE:
+ *   ship-safe checklist              Interactive mode (prompts for each item)
+ *   ship-safe checklist --no-interactive   Print checklist without prompts
+ *
+ * This walks you through the 10-point security checklist before launch.
+ */
+
+import chalk from 'chalk';
+import readline from 'readline';
+import * as output from '../utils/output.js';
+
+// =============================================================================
+// CHECKLIST ITEMS
+// =============================================================================
+
+const CHECKLIST_ITEMS = [
+  {
+    title: 'No exposed .git folder',
+    check: 'curl -I https://yoursite.com/.git/config (should return 404)',
+    risk: 'Attackers can download your entire codebase including commit history with secrets.',
+    fix: 'Configure web server to block .git access. Vercel/Netlify do this by default.'
+  },
+  {
+    title: 'Debug mode disabled',
+    check: 'Verify NODE_ENV=production, DEBUG=false in your deployment.',
+    risk: 'Debug mode exposes stack traces, environment variables, and internal paths.',
+    fix: 'Set production environment variables in your hosting platform.'
+  },
+  {
+    title: 'Database RLS/Security rules enabled',
+    check: 'Supabase: Check Policies tab. Firebase: Check Rules tab.',
+    risk: 'Without row-level security, any user can read/write any data.',
+    fix: 'Define explicit RLS policies for each table. Never use "allow all" rules.'
+  },
+  {
+    title: 'No hardcoded API keys in frontend',
+    check: 'Run: npx ship-safe scan ./src',
+    risk: 'Anyone viewing source code can steal your API keys.',
+    fix: 'Move secrets to server-side environment variables. Use API routes to proxy.'
+  },
+  {
+    title: 'HTTPS enforced',
+    check: 'Visit http://yoursite.com - should redirect to https://',
+    risk: 'HTTP traffic can be intercepted and modified (MITM attacks).',
+    fix: 'Enable "Force HTTPS" in your hosting platform settings.'
+  },
+  {
+    title: 'Security headers configured',
+    check: 'Visit securityheaders.com and enter your URL.',
+    risk: 'Missing headers enable clickjacking, XSS, and data sniffing.',
+    fix: 'Use ship-safe init --headers to add security headers config.'
+  },
+  {
+    title: 'Rate limiting on auth endpoints',
+    check: 'Try hitting /login 100 times quickly. Should block you.',
+    risk: 'Without rate limiting, attackers can brute-force passwords.',
+    fix: 'Add rate limiting middleware or use auth providers with built-in protection.'
+  },
+  {
+    title: 'No sensitive data in URLs',
+    check: 'Search codebase for: ?token=, ?api_key=, ?password=',
+    risk: 'URLs are logged everywhere. Tokens in URLs get leaked.',
+    fix: 'Send sensitive data in headers or POST body, never in URLs.'
+  },
+  {
+    title: 'Error messages don\'t leak info',
+    check: 'Trigger errors intentionally. Check for stack traces in response.',
+    risk: 'Detailed errors help attackers understand your system.',
+    fix: 'Show generic errors to users. Log details server-side only.'
+  },
+  {
+    title: 'Admin routes protected',
+    check: 'Try accessing /admin, /api/admin, /dashboard without auth.',
+    risk: 'Exposed admin panels are the #1 target for attackers.',
+    fix: 'Add auth middleware. Consider IP whitelisting for admin routes.'
+  }
+];
+
+// =============================================================================
+// MAIN CHECKLIST FUNCTION
+// =============================================================================
+
+export async function checklistCommand(options = {}) {
+  console.log();
+  console.log(chalk.cyan.bold('='.repeat(60)));
+  console.log(chalk.cyan.bold('  Launch Day Security Checklist'));
+  console.log(chalk.cyan.bold('='.repeat(60)));
+  console.log();
+  console.log(chalk.gray('Complete these 10 checks before going live.'));
+  console.log(chalk.gray('Each one takes under 1 minute to verify.'));
+  console.log();
+
+  if (options.interactive === false) {
+    // Non-interactive: just print the checklist
+    printChecklist();
+    return;
+  }
+
+  // Interactive mode
+  await runInteractiveChecklist();
+}
+
+// =============================================================================
+// NON-INTERACTIVE MODE
+// =============================================================================
+
+function printChecklist() {
+  for (let i = 0; i < CHECKLIST_ITEMS.length; i++) {
+    const item = CHECKLIST_ITEMS[i];
+    const num = i + 1;
+
+    console.log(chalk.white.bold(`${num}. [ ] ${item.title}`));
+    console.log(chalk.gray(`   Check: ${item.check}`));
+    console.log(chalk.yellow(`   Risk: ${item.risk}`));
+    console.log(chalk.green(`   Fix: ${item.fix}`));
+    console.log();
+  }
+
+  console.log(chalk.cyan('='.repeat(60)));
+  console.log(chalk.gray('Copy this checklist or run with interactive mode:'));
+  console.log(chalk.white('  npx ship-safe checklist'));
+  console.log(chalk.cyan('='.repeat(60)));
+}
+
+// =============================================================================
+// INTERACTIVE MODE
+// =============================================================================
+
+async function runInteractiveChecklist() {
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+
+  const results = [];
+
+  console.log(chalk.gray('For each item, press:'));
+  console.log(chalk.green('  y') + chalk.gray(' = Done/Verified'));
+  console.log(chalk.yellow('  s') + chalk.gray(' = Skip for now'));
+  console.log(chalk.red('  n') + chalk.gray(' = Not done (will show fix)'));
+  console.log(chalk.gray('  q = Quit'));
+  console.log();
+
+  for (let i = 0; i < CHECKLIST_ITEMS.length; i++) {
+    const item = CHECKLIST_ITEMS[i];
+    const num = i + 1;
+
+    console.log(chalk.cyan('-'.repeat(60)));
+    console.log(chalk.white.bold(`\n${num}/${CHECKLIST_ITEMS.length}: ${item.title}\n`));
+    console.log(chalk.gray(`How to check: ${item.check}`));
+    console.log();
+
+    const answer = await askQuestion(rl, chalk.white('Status? [y/s/n/q]: '));
+
+    if (answer.toLowerCase() === 'q') {
+      console.log(chalk.yellow('\nChecklist paused. Run again to continue.'));
+      rl.close();
+      return;
+    }
+
+    if (answer.toLowerCase() === 'y') {
+      results.push({ item, status: 'done' });
+      console.log(chalk.green('\u2714 Marked as complete\n'));
+    } else if (answer.toLowerCase() === 's') {
+      results.push({ item, status: 'skipped' });
+      console.log(chalk.yellow('\u2192 Skipped\n'));
+    } else {
+      results.push({ item, status: 'todo' });
+      console.log();
+      console.log(chalk.red('\u26a0 Risk: ') + item.risk);
+      console.log(chalk.green('\u2192 Fix: ') + item.fix);
+      console.log();
+    }
+  }
+
+  rl.close();
+
+  // Print summary
+  printSummary(results);
+}
+
+function askQuestion(rl, question) {
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      resolve(answer);
+    });
+  });
+}
+
+function printSummary(results) {
+  const done = results.filter(r => r.status === 'done').length;
+  const skipped = results.filter(r => r.status === 'skipped').length;
+  const todo = results.filter(r => r.status === 'todo').length;
+
+  console.log();
+  console.log(chalk.cyan('='.repeat(60)));
+  console.log(chalk.cyan.bold('  Summary'));
+  console.log(chalk.cyan('='.repeat(60)));
+  console.log();
+  console.log(chalk.green(`  \u2714 Completed: ${done}`));
+  console.log(chalk.yellow(`  \u2192 Skipped: ${skipped}`));
+  console.log(chalk.red(`  \u2718 Todo: ${todo}`));
+  console.log();
+
+  if (todo === 0 && skipped === 0) {
+    console.log(chalk.green.bold('  \ud83d\ude80 You\'re ready to ship safely!'));
+  } else if (todo > 0) {
+    console.log(chalk.yellow('  Items still need attention:'));
+    for (const r of results.filter(r => r.status === 'todo')) {
+      console.log(chalk.red(`    \u2022 ${r.item.title}`));
+    }
+  }
+
+  console.log();
+  console.log(chalk.gray('  Tip: Security is ongoing. Schedule monthly reviews.'));
+  console.log(chalk.cyan('='.repeat(60)));
+}

package/cli/commands/init.js

@@ -0,0 +1,265 @@
+/**
+ * Init Command
+ * ============
+ *
+ * Initialize security configurations in the current project.
+ * Copies pre-configured security files from ship-safe.
+ *
+ * USAGE:
+ *   ship-safe init              Copy all security configs
+ *   ship-safe init --gitignore  Only copy .gitignore
+ *   ship-safe init --headers    Only copy security headers
+ *   ship-safe init -f           Force overwrite existing files
+ *
+ * FILES COPIED:
+ *   - .gitignore (merged with existing if present)
+ *   - nextjs-security-headers.js (for Next.js projects)
+ */
+
+import fs from 'fs';
+import path from 'path';
+import { fileURLToPath } from 'url';
+import chalk from 'chalk';
+import * as output from '../utils/output.js';
+
+// Get the directory of this module (for finding config files)
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const PACKAGE_ROOT = path.resolve(__dirname, '..', '..');
+
+// =============================================================================
+// MAIN INIT FUNCTION
+// =============================================================================
+
+export async function initCommand(options = {}) {
+  const targetDir = process.cwd();
+
+  console.log();
+  output.header('Initializing Security Configs');
+  console.log();
+  console.log(chalk.gray(`Target directory: ${targetDir}`));
+  console.log();
+
+  const results = {
+    copied: [],
+    skipped: [],
+    merged: [],
+    errors: []
+  };
+
+  // Determine which files to copy
+  const copyGitignore = !options.headers || options.gitignore;
+  const copyHeaders = !options.gitignore || options.headers;
+
+  // Copy .gitignore
+  if (copyGitignore) {
+    await handleGitignore(targetDir, options.force, results);
+  }
+
+  // Copy security headers
+  if (copyHeaders) {
+    await handleSecurityHeaders(targetDir, options.force, results);
+  }
+
+  // Print summary
+  printSummary(results);
+}
+
+// =============================================================================
+// GITIGNORE HANDLING
+// =============================================================================
+
+async function handleGitignore(targetDir, force, results) {
+  const sourcePath = path.join(PACKAGE_ROOT, '.gitignore');
+  const targetPath = path.join(targetDir, '.gitignore');
+
+  // Check if source exists
+  if (!fs.existsSync(sourcePath)) {
+    results.errors.push({
+      file: '.gitignore',
+      error: 'Source file not found in ship-safe package'
+    });
+    return;
+  }
+
+  const sourceContent = fs.readFileSync(sourcePath, 'utf-8');
+
+  // Check if target exists
+  if (fs.existsSync(targetPath)) {
+    if (force) {
+      // Overwrite
+      fs.writeFileSync(targetPath, sourceContent);
+      results.copied.push('.gitignore (overwritten)');
+    } else {
+      // Merge: append ship-safe patterns to existing
+      const existingContent = fs.readFileSync(targetPath, 'utf-8');
+
+      // Check if already has ship-safe content
+      if (existingContent.includes('# SHIP SAFE')) {
+        results.skipped.push('.gitignore (already contains ship-safe patterns)');
+        return;
+      }
+
+      // Append ship-safe section
+      const mergedContent = existingContent.trim() + '\n\n' +
+        '# =============================================================================\n' +
+        '# SHIP SAFE ADDITIONS\n' +
+        '# Added by: npx ship-safe init\n' +
+        '# =============================================================================\n\n' +
+        extractSecurityPatterns(sourceContent);
+
+      fs.writeFileSync(targetPath, mergedContent);
+      results.merged.push('.gitignore');
+    }
+  } else {
+    // Create new
+    fs.writeFileSync(targetPath, sourceContent);
+    results.copied.push('.gitignore');
+  }
+}
+
+/**
+ * Extract the most important security patterns from our .gitignore
+ */
+function extractSecurityPatterns(fullGitignore) {
+  // Extract key sections
+  const patterns = `
+# Environment files
+.env
+.env.local
+.env*.local
+*.env
+
+# Private keys & certificates
+*.pem
+*.key
+*.p12
+*.pfx
+
+# Credentials
+*credentials*
+*.secrets.json
+secrets.yml
+secrets.yaml
+
+# Service accounts
+**/service-account*.json
+*-firebase-adminsdk-*.json
+
+# AWS
+.aws/credentials
+
+# Database files
+*.sqlite
+*.sqlite3
+*.db
+
+# Logs (may contain sensitive data)
+*.log
+logs/
+`;
+
+  return patterns.trim();
+}
+
+// =============================================================================
+// SECURITY HEADERS HANDLING
+// =============================================================================
+
+async function handleSecurityHeaders(targetDir, force, results) {
+  const sourcePath = path.join(PACKAGE_ROOT, 'configs', 'nextjs-security-headers.js');
+  const targetPath = path.join(targetDir, 'security-headers.config.js');
+
+  // Check if source exists
+  if (!fs.existsSync(sourcePath)) {
+    results.errors.push({
+      file: 'security-headers.config.js',
+      error: 'Source file not found in ship-safe package'
+    });
+    return;
+  }
+
+  // Detect if this is a Next.js project
+  const packageJsonPath = path.join(targetDir, 'package.json');
+  let isNextProject = false;
+
+  if (fs.existsSync(packageJsonPath)) {
+    try {
+      const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'));
+      isNextProject = !!(packageJson.dependencies?.next || packageJson.devDependencies?.next);
+    } catch {
+      // Ignore parse errors
+    }
+  }
+
+  // Check if target exists
+  if (fs.existsSync(targetPath) && !force) {
+    results.skipped.push('security-headers.config.js (already exists, use -f to overwrite)');
+    return;
+  }
+
+  // Copy the file
+  const content = fs.readFileSync(sourcePath, 'utf-8');
+  fs.writeFileSync(targetPath, content);
+  results.copied.push('security-headers.config.js');
+
+  // Show integration instructions
+  if (isNextProject) {
+    console.log(chalk.cyan('\nNext.js detected! Add to your next.config.js:\n'));
+    console.log(chalk.gray('  const { securityHeadersConfig } = require(\'./security-headers.config.js\');'));
+    console.log(chalk.gray('  module.exports = { ...securityHeadersConfig, /* your config */ };'));
+    console.log();
+  }
+}
+
+// =============================================================================
+// SUMMARY
+// =============================================================================
+
+function printSummary(results) {
+  console.log();
+  console.log(chalk.cyan('='.repeat(60)));
+  console.log(chalk.cyan.bold('  Summary'));
+  console.log(chalk.cyan('='.repeat(60)));
+  console.log();
+
+  if (results.copied.length > 0) {
+    console.log(chalk.green.bold('Created:'));
+    for (const file of results.copied) {
+      console.log(chalk.green(`  \u2714 ${file}`));
+    }
+    console.log();
+  }
+
+  if (results.merged.length > 0) {
+    console.log(chalk.blue.bold('Merged:'));
+    for (const file of results.merged) {
+      console.log(chalk.blue(`  \u2194 ${file} (appended ship-safe patterns)`));
+    }
+    console.log();
+  }
+
+  if (results.skipped.length > 0) {
+    console.log(chalk.yellow.bold('Skipped:'));
+    for (const file of results.skipped) {
+      console.log(chalk.yellow(`  \u2192 ${file}`));
+    }
+    console.log();
+  }
+
+  if (results.errors.length > 0) {
+    console.log(chalk.red.bold('Errors:'));
+    for (const { file, error } of results.errors) {
+      console.log(chalk.red(`  \u2718 ${file}: ${error}`));
+    }
+    console.log();
+  }
+
+  // Next steps
+  console.log(chalk.cyan('Next steps:'));
+  console.log(chalk.white('  1.') + ' Review the copied files and customize for your project');
+  console.log(chalk.white('  2.') + ' Run ' + chalk.cyan('npx ship-safe scan .') + ' to check for secrets');
+  console.log(chalk.white('  3.') + ' Run ' + chalk.cyan('npx ship-safe checklist') + ' before launching');
+  console.log();
+  console.log(chalk.cyan('='.repeat(60)));
+}