[NO-TICKET] Land the published protect command (npm 0.2.9/0.2.10) on main#36
Merged
Conversation
patchstack-connect protect [--manifest] scaffolds the WAF guard into a TanStack Start + Supabase app (engine, guard, rules, manifest), patches the generated Supabase client + Start entry idempotently, and wires a manifest refresh into prebuild. --manifest regenerates the package manifest only. The guard tunnels browser data traffic through an in-app server guard that runs the rule engine and blocks exploit payloads against known-vulnerable packages (virtual patching) with zero changes to the user's own code.
…sses tsc Lovable's build type-checks; guard.ts imported ./engine.js and ./manifest.js (plain JS, no declarations) -> TS7016. Ship .d.ts for both, type the rules cast as Rule[], and copy templates post-build (tsup's dts pass was clobbering the .d.ts when copied via onSuccess). Verified: fresh scaffold -> tsc clean.
…a explicit env) — 0.2.10
|
Adds cohesive runtime protection CLI with template scaffolding for server-side JS apps. 🎯 Quality: 77% Good · 📦 Size: Large — consider splitting if possible 🛡️ Standards: no pre-flight fit check ran for this change — wire 📈 This month: Your 214th PR — above team average · Averaging Good |
Resolves the import conflict in src/cli.ts — both features coexist. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
devlob
added a commit
that referenced
this pull request
Jul 13, 2026
…lineage Two 0.3.x protect lineages had diverged. main (0.3.3, #36-#41) advanced the scaffold-engine + local-manifest/--manifest approach; this branch vendored the node-waf engine into the package (@patchstack/connect/protect) and added the TanStack server-function guard. This takes the vendored lineage as canonical: - scaffolds only guard.ts + rules.json (the WAF engine ships in the package) - protect wires BOTH request middleware (browser tunnel) AND function middleware (TanStack server functions); per-piece idempotent so upgrades reconcile cleanly - drops the scaffolded engine.js/manifest.js templates and the --manifest flag (the vendored engine handles package-conditional rules via the API/rules) Preserves all of main's non-protect advances: in-package install guide, mark-build build-stack descriptor, tag-driven release workflow, guide command, verify-first install prompt. Typecheck clean; 126 tests pass.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why this PR exists
npm and main have diverged: versions 0.2.9 and 0.2.10 are live on npm (published 2026-07-13 12:33/13:00 UTC from this branch) but the code was never merged to main. Meanwhile main gained #35 (build-stack descriptor in mark-build), which is not in the published 0.2.10. The v0.2.11 release attempt from main then failed its version guard because main's package.json still says 0.2.8.
This PR is the review venue for getting main ⊇ npm again. Two ways to resolve:
npm deprecate @patchstack/connect@"0.2.9 || 0.2.10" "unreviewed pre-release", and release 0.2.11 from main without protect. Note the Pulse v1 scope had protection slated for August, and the 0.2.10 default is always-on blocking (dry-run only via explicit env) — worth a deliberate call on whether that default ships.What's on the branch (devlob's work, unreviewed)
patchstack-connect protectcommand — idempotent installer for the runtime guard (virtual patching) targeting TanStack Start + Supabase apps:src/protect/install.ts+ scaffoldedguard.ts/engine.js/rules.jsontemplates (+527 lines).Either way, don't re-tag v0.2.11 until main's package.json matches — the publish workflow's guard (correctly) blocks the mismatch.
Ref: failed run https://github.com/patchstack/connect/actions/runs/29254424852
🤖 Generated with Claude Code