Skip to content

[NO-TICKET] Land the published protect command (npm 0.2.9/0.2.10) on main#36

Merged
ejntaylor merged 5 commits into
mainfrom
pulse-protect-command
Jul 13, 2026
Merged

[NO-TICKET] Land the published protect command (npm 0.2.9/0.2.10) on main#36
ejntaylor merged 5 commits into
mainfrom
pulse-protect-command

Conversation

@ejntaylor

Copy link
Copy Markdown
Contributor

Why this PR exists

npm and main have diverged: versions 0.2.9 and 0.2.10 are live on npm (published 2026-07-13 12:33/13:00 UTC from this branch) but the code was never merged to main. Meanwhile main gained #35 (build-stack descriptor in mark-build), which is not in the published 0.2.10. The v0.2.11 release attempt from main then failed its version guard because main's package.json still says 0.2.8.

This PR is the review venue for getting main ⊇ npm again. Two ways to resolve:

  1. Merge this (after review) → then bump main to 0.2.11 and re-tag, shipping protect + [feat] Detect and inject a build-stack descriptor in mark-build #35 together.
  2. Close this and roll back npm insteadnpm deprecate @patchstack/connect@"0.2.9 || 0.2.10" "unreviewed pre-release", and release 0.2.11 from main without protect. Note the Pulse v1 scope had protection slated for August, and the 0.2.10 default is always-on blocking (dry-run only via explicit env) — worth a deliberate call on whether that default ships.

What's on the branch (devlob's work, unreviewed)

  • New patchstack-connect protect command — idempotent installer for the runtime guard (virtual patching) targeting TanStack Start + Supabase apps: src/protect/install.ts + scaffolded guard.ts/engine.js/rules.json templates (+527 lines).
  • 0.2.10 flips the guard to always-on blocking by default.
  • package.json bumped to 0.2.10 on the branch.

Either way, don't re-tag v0.2.11 until main's package.json matches — the publish workflow's guard (correctly) blocks the mismatch.

Ref: failed run https://github.com/patchstack/connect/actions/runs/29254424852

🤖 Generated with Claude Code

devlob added 4 commits July 13, 2026 13:03
patchstack-connect protect [--manifest] scaffolds the WAF guard into a
TanStack Start + Supabase app (engine, guard, rules, manifest), patches the
generated Supabase client + Start entry idempotently, and wires a manifest
refresh into prebuild. --manifest regenerates the package manifest only.

The guard tunnels browser data traffic through an in-app server guard that
runs the rule engine and blocks exploit payloads against known-vulnerable
packages (virtual patching) with zero changes to the user's own code.
…sses tsc

Lovable's build type-checks; guard.ts imported ./engine.js and ./manifest.js
(plain JS, no declarations) -> TS7016. Ship .d.ts for both, type the rules
cast as Rule[], and copy templates post-build (tsup's dts pass was clobbering
the .d.ts when copied via onSuccess). Verified: fresh scaffold -> tsc clean.
@coderbuds

coderbuds Bot commented Jul 13, 2026

Copy link
Copy Markdown

Adds cohesive runtime protection CLI with template scaffolding for server-side JS apps.

🎯 Quality: 77% Good · 📦 Size: Large — consider splitting if possible

🛡️ Standards: no pre-flight fit check ran for this change — wire assess-change-fit into your coding agents to catch size before opening.

📈 This month: Your 214th PR — above team average · Averaging Good

See how your team is trending →

Resolves the import conflict in src/cli.ts — both features coexist.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@ejntaylor ejntaylor merged commit 6156963 into main Jul 13, 2026
4 checks passed
@ejntaylor ejntaylor deleted the pulse-protect-command branch July 13, 2026 14:20
devlob added a commit that referenced this pull request Jul 13, 2026
…lineage

Two 0.3.x protect lineages had diverged. main (0.3.3, #36-#41) advanced the
scaffold-engine + local-manifest/--manifest approach; this branch vendored the
node-waf engine into the package (@patchstack/connect/protect) and added the
TanStack server-function guard. This takes the vendored lineage as canonical:

- scaffolds only guard.ts + rules.json (the WAF engine ships in the package)
- protect wires BOTH request middleware (browser tunnel) AND function middleware
  (TanStack server functions); per-piece idempotent so upgrades reconcile cleanly
- drops the scaffolded engine.js/manifest.js templates and the --manifest flag
  (the vendored engine handles package-conditional rules via the API/rules)

Preserves all of main's non-protect advances: in-package install guide,
mark-build build-stack descriptor, tag-driven release workflow, guide command,
verify-first install prompt. Typecheck clean; 126 tests pass.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants