toolip 1.0.3 → 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +599 -0
  2. package/package.json +1 -1
package/README.md ADDED
@@ -0,0 +1,599 @@
1
+ # Toolip
2
+
3
+ <p align="center">
4
+ <strong>Developer-First Supply Chain Security, Security Hygiene, and Secrets Management CLI</strong>
5
+ </p>
6
+
7
+ <p align="center">
8
+ Dependency Intelligence • Security Auditing • Secret Detection • Git Security • Learning Mode • Encrypted Vault
9
+ </p>
10
+
11
+ ---
12
+
13
+ ## Overview
14
+
15
+ Toolip is a TypeScript-powered developer security companion designed to help developers build safer software.
16
+
17
+ Modern development relies heavily on third-party packages, environment variables, cloud credentials, CI/CD pipelines, and Git workflows. While security tooling often targets enterprise security teams, developers are frequently left with tools that identify problems without explaining them.
18
+
19
+ Toolip takes a different approach.
20
+
21
+ Instead of simply reporting findings, Toolip focuses on education, remediation guidance, and practical developer workflows.
22
+
23
+ Toolip combines:
24
+
25
+ * Supply Chain Security
26
+ * Dependency Intelligence
27
+ * Developer Security Auditing
28
+ * Secret Detection
29
+ * Git Security
30
+ * Security Scorecards
31
+ * Encrypted Local Secret Storage
32
+ * Security Learning Resources
33
+
34
+ Everything runs locally.
35
+
36
+ No accounts.
37
+
38
+ No dashboards.
39
+
40
+ No SaaS.
41
+
42
+ No subscriptions.
43
+
44
+ ---
45
+
46
+ ## Why Toolip?
47
+
48
+ Most tools stop at:
49
+
50
+ ```text
51
+ Security issue found.
52
+ ```
53
+
54
+ Toolip goes further:
55
+
56
+ * What is wrong?
57
+ * Why does it matter?
58
+ * How risky is it?
59
+ * How do you fix it?
60
+ * What alternatives exist?
61
+ * How can you prevent it in future?
62
+
63
+ The goal is to help developers understand security while improving security posture.
64
+
65
+ ---
66
+
67
+ ## Installation
68
+
69
+ ### npm
70
+
71
+ ```bash
72
+ npm install -g toolip
73
+ ```
74
+
75
+ Verify installation:
76
+
77
+ ```bash
78
+ toolip --version
79
+ ```
80
+
81
+ ---
82
+
83
+ ## Quick Start
84
+
85
+ Analyze a project:
86
+
87
+ ```bash
88
+ toolip profile
89
+
90
+ toolip scan
91
+
92
+ toolip doctor
93
+
94
+ toolip score
95
+ ```
96
+
97
+ Review Git hygiene:
98
+
99
+ ```bash
100
+ toolip git-audit
101
+
102
+ toolip pre-commit
103
+ ```
104
+
105
+ Inspect packages:
106
+
107
+ ```bash
108
+ toolip inspect express
109
+
110
+ toolip compare axios got
111
+
112
+ toolip alternatives request
113
+ ```
114
+
115
+ Manage secrets:
116
+
117
+ ```bash
118
+ toolip vault init
119
+
120
+ toolip vault set DATABASE_URL
121
+
122
+ toolip vault get DATABASE_URL
123
+ ```
124
+
125
+ ---
126
+
127
+ # Features
128
+
129
+ ---
130
+
131
+ ## Project Fingerprinting
132
+
133
+ ```bash
134
+ toolip profile
135
+ ```
136
+
137
+ Detects technologies used within a project.
138
+
139
+ Examples:
140
+
141
+ * Node.js
142
+ * TypeScript
143
+ * Fastify
144
+ * Express
145
+ * React
146
+ * PostgreSQL
147
+ * MongoDB
148
+ * Redis
149
+
150
+ Provides technology-aware recommendations.
151
+
152
+ ---
153
+
154
+ ## Dependency Scanning
155
+
156
+ ```bash
157
+ toolip scan
158
+ ```
159
+
160
+ Analyzes project dependencies.
161
+
162
+ Detects:
163
+
164
+ * Deprecated packages
165
+ * Outdated packages
166
+ * High-risk packages
167
+ * Dependency bloat
168
+ * Supply chain concerns
169
+
170
+ Provides actionable recommendations.
171
+
172
+ ---
173
+
174
+ ## Package Inspection
175
+
176
+ ```bash
177
+ toolip inspect express
178
+ ```
179
+
180
+ Displays:
181
+
182
+ * Latest version
183
+ * Maintainer information
184
+ * Deprecation status
185
+ * Package metadata
186
+ * Risk score
187
+
188
+ Useful when evaluating new dependencies.
189
+
190
+ ---
191
+
192
+ ## Package Comparison
193
+
194
+ ```bash
195
+ toolip compare axios got
196
+ ```
197
+
198
+ Compare multiple packages based on:
199
+
200
+ * Dependency count
201
+ * Risk indicators
202
+ * Maintenance activity
203
+ * General package health
204
+
205
+ Useful when choosing between alternatives.
206
+
207
+ ---
208
+
209
+ ## Package Alternatives
210
+
211
+ ```bash
212
+ toolip alternatives request
213
+ ```
214
+
215
+ Suggests safer or more modern replacements for packages that are:
216
+
217
+ * Deprecated
218
+ * Legacy
219
+ * Poorly maintained
220
+
221
+ ---
222
+
223
+ ## Dependency Tree Analysis
224
+
225
+ ```bash
226
+ toolip tree
227
+ ```
228
+
229
+ Provides visibility into dependency structure.
230
+
231
+ Displays:
232
+
233
+ * Dependency hierarchy
234
+ * Dependency depth
235
+ * Transitive relationships
236
+
237
+ Useful when investigating package risk.
238
+
239
+ ---
240
+
241
+ ## License Analysis
242
+
243
+ ```bash
244
+ toolip licenses
245
+ ```
246
+
247
+ Analyzes project licensing.
248
+
249
+ Provides:
250
+
251
+ * License inventory
252
+ * License distribution
253
+ * Restrictive license warnings
254
+
255
+ ---
256
+
257
+ # Security Doctor
258
+
259
+ ```bash
260
+ toolip doctor
261
+ ```
262
+
263
+ Runs a comprehensive project security audit.
264
+
265
+ Checks for:
266
+
267
+ ### Secret Exposure
268
+
269
+ Detects:
270
+
271
+ * GitHub tokens
272
+ * API keys
273
+ * JWT secrets
274
+ * AWS credentials
275
+ * Private keys
276
+ * Hardcoded passwords
277
+
278
+ ### Dangerous Code Patterns
279
+
280
+ Detects:
281
+
282
+ * eval()
283
+ * Function constructor usage
284
+ * Unsafe shell execution
285
+ * Dangerous runtime patterns
286
+
287
+ ### Configuration Risks
288
+
289
+ Checks for:
290
+
291
+ * Open CORS policies
292
+ * Insecure configuration patterns
293
+ * Weak environment practices
294
+
295
+ ### Security Headers
296
+
297
+ Identifies missing:
298
+
299
+ * Content-Security-Policy
300
+ * X-Frame-Options
301
+ * X-Content-Type-Options
302
+ * Strict-Transport-Security
303
+
304
+ ---
305
+
306
+ # Git Security
307
+
308
+ ---
309
+
310
+ ## Git Audit
311
+
312
+ ```bash
313
+ toolip git-audit
314
+ ```
315
+
316
+ Analyzes Git hygiene.
317
+
318
+ Checks for:
319
+
320
+ * Sensitive files
321
+ * Weak ignore rules
322
+ * Dangerous artifacts
323
+ * Common security mistakes
324
+
325
+ ---
326
+
327
+ ## Pre-Commit Checks
328
+
329
+ ```bash
330
+ toolip pre-commit
331
+ ```
332
+
333
+ Runs blocking security checks before commits.
334
+
335
+ Detects:
336
+
337
+ * Secrets
338
+ * Credentials
339
+ * Security violations
340
+ * Dangerous files
341
+
342
+ Designed to stop mistakes before they reach Git history.
343
+
344
+ ---
345
+
346
+ ## Git Hook Installation
347
+
348
+ ```bash
349
+ toolip hook install
350
+ ```
351
+
352
+ Installs Toolip-powered Git hooks.
353
+
354
+ Allows security checks to run automatically before commits.
355
+
356
+ ---
357
+
358
+ # Security Scorecards
359
+
360
+ ```bash
361
+ toolip score
362
+ ```
363
+
364
+ Calculates a security score based on:
365
+
366
+ * Dependency Health
367
+ * Secret Hygiene
368
+ * Configuration Security
369
+ * Git Safety
370
+
371
+ Example:
372
+
373
+ ```text
374
+ Dependency Health .... 91
375
+ Secret Hygiene ....... 84
376
+ Configuration ........ 88
377
+ Git Safety ........... 95
378
+
379
+ Overall Score ........ 89
380
+ Grade ................ A
381
+ ```
382
+
383
+ ---
384
+
385
+ # Learning Mode
386
+
387
+ One of Toolip's signature features.
388
+
389
+ ```bash
390
+ toolip learn cors
391
+ ```
392
+
393
+ Toolip teaches while it scans.
394
+
395
+ Available topics include:
396
+
397
+ * CORS
398
+ * JWT
399
+ * XSS
400
+ * CSRF
401
+ * Authentication
402
+ * Authorization
403
+ * Secrets Management
404
+ * Dependency Security
405
+
406
+ Each lesson includes:
407
+
408
+ * Explanation
409
+ * Risks
410
+ * Common mistakes
411
+ * Secure examples
412
+ * Best practices
413
+
414
+ Designed for developers learning secure software engineering.
415
+
416
+ ---
417
+
418
+ # Toolip Vault
419
+
420
+ Toolip includes a lightweight encrypted local secrets manager.
421
+
422
+ ---
423
+
424
+ ## Initialize Vault
425
+
426
+ ```bash
427
+ toolip vault init
428
+ ```
429
+
430
+ Creates an encrypted local vault.
431
+
432
+ ---
433
+
434
+ ## Store Secrets
435
+
436
+ ```bash
437
+ toolip vault set DATABASE_URL
438
+ ```
439
+
440
+ Stores secrets securely.
441
+
442
+ ---
443
+
444
+ ## Retrieve Secrets
445
+
446
+ ```bash
447
+ toolip vault get DATABASE_URL
448
+ ```
449
+
450
+ Returns decrypted values after authentication.
451
+
452
+ ---
453
+
454
+ ## List Secrets
455
+
456
+ ```bash
457
+ toolip vault list
458
+ ```
459
+
460
+ Displays secret names without revealing values.
461
+
462
+ ---
463
+
464
+ ## Delete Secrets
465
+
466
+ ```bash
467
+ toolip vault delete DATABASE_URL
468
+ ```
469
+
470
+ Removes stored secrets.
471
+
472
+ ---
473
+
474
+ ## Export Environment Variables
475
+
476
+ ```bash
477
+ toolip vault export --env development
478
+ ```
479
+
480
+ Supports:
481
+
482
+ * development
483
+ * staging
484
+ * production
485
+
486
+ ---
487
+
488
+ ## Vault Security Features
489
+
490
+ * AES-256 Encryption
491
+ * Password Protection
492
+ * Local Storage Only
493
+ * Offline Operation
494
+
495
+ No cloud storage.
496
+
497
+ No synchronization.
498
+
499
+ No accounts.
500
+
501
+ No remote services.
502
+
503
+ ---
504
+
505
+ # Command Reference
506
+
507
+ | Command | Description |
508
+ | ------------------- | ---------------------------------- |
509
+ | toolip profile | Fingerprint project technologies |
510
+ | toolip scan | Analyze dependencies |
511
+ | toolip doctor | Perform security audit |
512
+ | toolip score | Generate security scorecard |
513
+ | toolip inspect | Inspect package metadata |
514
+ | toolip compare | Compare packages |
515
+ | toolip alternatives | Suggest replacements |
516
+ | toolip licenses | Analyze licenses |
517
+ | toolip tree | Analyze dependency hierarchy |
518
+ | toolip git-audit | Audit Git hygiene |
519
+ | toolip pre-commit | Run pre-commit security checks |
520
+ | toolip hook install | Install Git hooks |
521
+ | toolip learn | Security education mode |
522
+ | toolip vault | Encrypted local secrets management |
523
+
524
+ ---
525
+
526
+ # Design Principles
527
+
528
+ Toolip follows several guiding principles:
529
+
530
+ * Developer First
531
+ * CLI First
532
+ * Security Education
533
+ * Local Development Friendly
534
+ * CI/CD Friendly
535
+ * Framework Agnostic
536
+ * Actionable Guidance
537
+ * Secure by Default
538
+
539
+ ---
540
+
541
+ # Technology Stack
542
+
543
+ Built with:
544
+
545
+ * TypeScript
546
+ * Node.js
547
+ * Commander.js
548
+ * Vitest
549
+ * Chalk
550
+ * Ora
551
+ * Zod
552
+ * npm Registry APIs
553
+ * Git Integration
554
+ * Node Crypto APIs
555
+
556
+ ---
557
+
558
+ # Use Cases
559
+
560
+ Toolip is useful for:
561
+
562
+ * Backend Engineers
563
+ * Platform Engineers
564
+ * DevOps Engineers
565
+ * Open Source Maintainers
566
+ * Startup Teams
567
+ * Full Stack Developers
568
+ * Students Learning Security
569
+
570
+ ---
571
+
572
+ # Portfolio Positioning
573
+
574
+ Toolip demonstrates experience with:
575
+
576
+ * TypeScript Engineering
577
+ * CLI Development
578
+ * Security Engineering Concepts
579
+ * Supply Chain Security
580
+ * Secret Management
581
+ * Static Analysis
582
+ * Git Integration
583
+ * Risk Scoring Systems
584
+ * Developer Experience Design
585
+ * Secure Development Workflows
586
+
587
+ ---
588
+
589
+ # Author
590
+
591
+ **Ashibuogwu Williams (wbizmo)**
592
+
593
+ GitHub: https://github.com/wbizmo
594
+
595
+ ---
596
+
597
+ # License
598
+
599
+ MIT License
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "toolip",
3
- "version": "1.0.3",
3
+ "version": "1.0.5",
4
4
  "description": "Developer-first supply chain security, security hygiene, and secrets management CLI.",
5
5
  "type": "module",
6
6
  "bin": {