From 80700aa6a5db607ef7d558da3b7934c52d202873 Mon Sep 17 00:00:00 2001 From: "Derek Palmer (Creative)" Date: Sat, 30 May 2026 10:24:25 -0400 Subject: [PATCH] chore(npm): declare SPDX license, add author, add SECURITY.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Socket.dev profile hardening (cheap, real wins; capability alerts and the non-OSI License subscore are structural and accepted — see ADR-0002): - package.json license → SPDX LicenseRef-Codeforerunner-SAL-0.1 (was the opaque "SEE LICENSE IN LICENSE.md"); machine-readable, matches the REUSE-style LICENSES/ layout. npm pack emits no license warning. - package.json author "Derek Palmer", consistent with pyproject. - SECURITY.md: package-capabilities rationale (why an installer needs network/filesystem/process access) + GitHub private vulnerability reporting channel. Closes #85 --- SECURITY.md | 41 ++++++++++++++++++++++++++++++++++ package.json | 3 ++- tests/test_package_metadata.py | 35 +++++++++++++++++++++++++++++ 3 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 SECURITY.md create mode 100644 tests/test_package_metadata.py diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..9a9acf8 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,41 @@ +# Security Policy + +## Reporting a vulnerability + +Please report security issues privately through GitHub's **private vulnerability +reporting** for this repository: + +- Go to the repository's **Security** tab → **Report a vulnerability**, or visit + . + +This opens a private advisory visible only to the maintainers. Please do **not** +open a public issue for a suspected vulnerability. We aim to acknowledge a report +within a few days and will coordinate a fix and disclosure with you. + +## Package capabilities + +`codeforerunner` is distributed as an **installer**: the npm package +(`bin/install.js`) places codeforerunner's slash-command skills into the +configuration directories of the agent CLIs you already use. By its nature an +installer needs broader system access than a typical library, so supply-chain +scanners (e.g. Socket.dev) flag the following capabilities. They are expected +and intrinsic to what the tool does: + +- **Network access** — fetches skill content and probes the npm registry to + resolve what to install. No telemetry is sent; the package collects nothing + about you. +- **Filesystem access** — writes skill files under your home directory (for + example `~/.codex/…`, `~/.claude/…`). Installs are idempotent and confined to + codeforerunner-managed regions; existing unmanaged content is never + overwritten. +- **Process/shell access** — detects which agent CLIs are present and invokes + their own installers (for example `gemini extensions install`). + +The package declares **no runtime dependencies**, runs **no install scripts** +(no `postinstall`), and is published with **npm provenance**. If you prefer not +to grant these capabilities, you can inspect `bin/install.js` (it is plain, +unminified JavaScript) or install individual skills manually. + +## Supported versions + +Only the latest published version receives security fixes. diff --git a/package.json b/package.json index f8ba7a5..a3cffad 100644 --- a/package.json +++ b/package.json @@ -35,7 +35,8 @@ "cursor", "windsurf" ], - "license": "SEE LICENSE IN LICENSE.md", + "license": "LicenseRef-Codeforerunner-SAL-0.1", + "author": "Derek Palmer", "repository": { "type": "git", "url": "https://github.com/derek-palmer/codeforerunner.git" diff --git a/tests/test_package_metadata.py b/tests/test_package_metadata.py new file mode 100644 index 0000000..65190eb --- /dev/null +++ b/tests/test_package_metadata.py @@ -0,0 +1,35 @@ +"""Guard the npm package.json metadata that feeds the Socket.dev profile. + +The license is declared machine-readably via its SPDX `LicenseRef` id (the +project is source-available by design — see +docs/adr/0002-source-available-license-over-socket-score.md), and authorship +is present and consistent with pyproject.toml. +""" + +from __future__ import annotations + +import json +import tomllib +from pathlib import Path + +REPO = Path(__file__).resolve().parent.parent + + +def _package_json() -> dict: + return json.loads((REPO / "package.json").read_text(encoding="utf-8")) + + +def test_license_is_declared_spdx_licenseref(): + assert _package_json()["license"] == "LicenseRef-Codeforerunner-SAL-0.1" + + +def test_license_file_for_the_ref_exists(): + assert (REPO / "LICENSES" / "LicenseRef-Codeforerunner-SAL-0.1.txt").is_file() + + +def test_author_present_and_matches_pyproject(): + author = _package_json().get("author") + assert author, "package.json must declare an author" + pyproject = tomllib.loads((REPO / "pyproject.toml").read_text(encoding="utf-8")) + py_authors = [a["name"] for a in pyproject["project"]["authors"]] + assert author in py_authors, f"{author!r} not in pyproject authors {py_authors!r}"