chore(npm): declare SPDX license, add author, add SECURITY.md

SECURITY.md

@@ -0,0 +1,41 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+Please report security issues privately through GitHub's **private vulnerability
+reporting** for this repository:
+
+- Go to the repository's **Security** tab → **Report a vulnerability**, or visit
+  <https://github.com/derek-palmer/codeforerunner/security/advisories/new>.
+
+This opens a private advisory visible only to the maintainers. Please do **not**
+open a public issue for a suspected vulnerability. We aim to acknowledge a report
+within a few days and will coordinate a fix and disclosure with you.
+
+## Package capabilities
+
+`codeforerunner` is distributed as an **installer**: the npm package
+(`bin/install.js`) places codeforerunner's slash-command skills into the
+configuration directories of the agent CLIs you already use. By its nature an
+installer needs broader system access than a typical library, so supply-chain
+scanners (e.g. Socket.dev) flag the following capabilities. They are expected
+and intrinsic to what the tool does:
+
+- **Network access** — fetches skill content and probes the npm registry to
+  resolve what to install. No telemetry is sent; the package collects nothing
+  about you.
+- **Filesystem access** — writes skill files under your home directory (for
+  example `~/.codex/…`, `~/.claude/…`). Installs are idempotent and confined to
+  codeforerunner-managed regions; existing unmanaged content is never
+  overwritten.
+- **Process/shell access** — detects which agent CLIs are present and invokes
+  their own installers (for example `gemini extensions install`).
+
+The package declares **no runtime dependencies**, runs **no install scripts**
+(no `postinstall`), and is published with **npm provenance**. If you prefer not
+to grant these capabilities, you can inspect `bin/install.js` (it is plain,
+unminified JavaScript) or install individual skills manually.
+
+## Supported versions
+
+Only the latest published version receives security fixes.

package.json

@@ -35,7 +35,8 @@
     "cursor",
     "windsurf"
   ],
-  "license": "SEE LICENSE IN LICENSE.md",
+  "license": "LicenseRef-Codeforerunner-SAL-0.1",
+  "author": "Derek Palmer",
   "repository": {
     "type": "git",
     "url": "https://github.com/derek-palmer/codeforerunner.git"

tests/test_package_metadata.py

@@ -0,0 +1,35 @@
+"""Guard the npm package.json metadata that feeds the Socket.dev profile.
+
+The license is declared machine-readably via its SPDX `LicenseRef` id (the
+project is source-available by design — see
+docs/adr/0002-source-available-license-over-socket-score.md), and authorship
+is present and consistent with pyproject.toml.
+"""
+
+from __future__ import annotations
+
+import json
+import tomllib
+from pathlib import Path
+
+REPO = Path(__file__).resolve().parent.parent
+
+
+def _package_json() -> dict:
+    return json.loads((REPO / "package.json").read_text(encoding="utf-8"))
+
+
+def test_license_is_declared_spdx_licenseref():
+    assert _package_json()["license"] == "LicenseRef-Codeforerunner-SAL-0.1"
+
+
+def test_license_file_for_the_ref_exists():
+    assert (REPO / "LICENSES" / "LicenseRef-Codeforerunner-SAL-0.1.txt").is_file()
+
+
+def test_author_present_and_matches_pyproject():
+    author = _package_json().get("author")
+    assert author, "package.json must declare an author"
+    pyproject = tomllib.loads((REPO / "pyproject.toml").read_text(encoding="utf-8"))
+    py_authors = [a["name"] for a in pyproject["project"]["authors"]]
+    assert author in py_authors, f"{author!r} not in pyproject authors {py_authors!r}"