Source from repo
teach-impeccable

One-time setup that gathers your project's design context and saves it to CLAUDE.md for future sessions.
pbakausGitHub pbakausSource repo Original GitHub link Publisher page
Files
Skill
n/a
Size
749.8 KB
Entrypoint
SKILL.md
Format
git-repo
Open file
scripts/detect-csp.mjs

Syntax-highlighted preview of this file as included in the skill package.
Rendered Source
code199 linesFree
scripts/detect-csp.mjs
1/**
2 * Scan a project tree for Content-Security-Policy signals and classify the
3 * shape so the agent knows which patch template to propose.
4 *
5 * Used at first-time `live.mjs` setup. Mechanical (grep-based) — no network,
6 * no dev server, no JS evaluation. The classification drives a user-facing
7 * consent prompt; the agent does the actual patch writing.
8 *
9 * Shapes are named by patch mechanism, not framework origin:
10 *   - "append-arrays":  CSP defined as structured directive arrays. Patch
11 *                       appends a dev-only localhost entry. Covers:
12 *                         - Monorepo helpers with additional*Src options
13 *                           (e.g. createBaseNextConfig for Next)
14 *                         - SvelteKit kit.csp.directives
15 *                         - nuxt-security module's contentSecurityPolicy
16 *   - "append-string":  CSP built as a literal value string. Patch splices
17 *                       a dev-only token into script-src and connect-src.
18 *                       Covers:
19 *                         - Inline Next.js headers() with CSP string
20 *                         - Nuxt routeRules / nitro.routeRules CSP headers
21 *   - "middleware":     CSP set dynamically in middleware.{ts,js}.
22 *                       Detected but not auto-patched in v1.
23 *   - "meta-tag":       <meta http-equiv="Content-Security-Policy"> in
24 *                       layout files. Detected but not auto-patched in v1.
25 *   - null:             no CSP signals found; no patch needed.
26 */
27 
28import fs from 'node:fs';
29import path from 'node:path';
30 
31const SKIP_DIRS = new Set([
32  'node_modules',
33  '.git',
34  '.next',
35  '.turbo',
36  '.svelte-kit',
37  '.nuxt',
38  '.astro',
39  'dist',
40  'build',
41  'out',
42  '.vercel',
43]);
44 
45const SCAN_EXTS = new Set(['.js', '.mjs', '.cjs', '.ts', '.mts', '.cts', '.tsx', '.jsx']);
46const LAYOUT_EXTS = new Set(['.tsx', '.jsx', '.astro', '.vue', '.svelte', '.html']);
47const MAX_DEPTH = 6;
48const MAX_READ_BYTES = 64 * 1024;
49 
50// append-arrays signals: CSP expressed as structured directive arrays
51const MONOREPO_HELPER_SIGNALS = [
52  /\bbuildCSPConfig\b/,
53  /\bbuildSecurityHeaders\b/,
54  /\badditionalScriptSrc\b/,
55  /\badditionalConnectSrc\b/,
56  /\bcreateBaseNextConfig\b/,
57];
58const SVELTEKIT_CSP_SIGNALS = [
59  /\bkit\s*:/,
60  /\bcsp\s*:/,
61  /\bdirectives\s*:/,
62];
63const NUXT_SECURITY_SIGNALS = [
64  /['"]nuxt-security['"]/,
65  /\bcontentSecurityPolicy\b/,
66];
67 
68// append-string signals: CSP written as a literal value string
69const INLINE_HEADER_SIGNALS = [
70  /["']Content-Security-Policy["']/i,
71  /\bscript-src\b/,
72  /\bconnect-src\b/,
73];
74const NUXT_ROUTE_RULES_SIGNALS = [
75  /\brouteRules\b/,
76  /Content-Security-Policy/i,
77  /\bscript-src\b/,
78];
79 
80const MIDDLEWARE_HINT = /headers\.set\(\s*["']Content-Security-Policy["']/i;
81const META_TAG_HINT = /http-equiv\s*=\s*["']Content-Security-Policy["']/i;
82 
83/**
84 * @param {string} cwd Project root.
85 * @returns {{ shape: string|null, signals: string[] }}
86 */
87export function detectCsp(cwd = process.cwd()) {
88  const hits = { appendArrays: [], appendString: [], middleware: [], metaTag: [] };
89 
90  walk(cwd, cwd, 0, (absPath, relPath, body) => {
91    const ext = path.extname(absPath);
92    const base = path.basename(absPath).toLowerCase();
93    const isConfig = (name) =>
94      new RegExp('(^|/)' + name + '\\.config\\.').test(relPath);
95 
96    // === append-arrays candidates ===
97 
98    // Monorepo CSP helper: packages/*/src/.../(config|security)/*
99    if (SCAN_EXTS.has(ext) &&
100        /packages\/[^/]+\/src\/.*(config|next-config|security)/.test(relPath) &&
101        MONOREPO_HELPER_SIGNALS.some((re) => re.test(body))) {
102      hits.appendArrays.push(relPath);
103      return;
104    }
105 
106    // SvelteKit kit.csp.directives
107    if (SCAN_EXTS.has(ext) && isConfig('svelte') &&
108        SVELTEKIT_CSP_SIGNALS.every((re) => re.test(body))) {
109      hits.appendArrays.push(relPath);
110      return;
111    }
112 
113    // Nuxt nuxt-security module
114    if (SCAN_EXTS.has(ext) && isConfig('nuxt') &&
115        NUXT_SECURITY_SIGNALS.every((re) => re.test(body))) {
116      hits.appendArrays.push(relPath);
117      return;
118    }
119 
120    // === append-string candidates ===
121 
122    // Inline headers in Next/Nuxt/SvelteKit/Astro/Vite config
123    if (SCAN_EXTS.has(ext) &&
124        /(^|\/)(next|nuxt|vite|astro|svelte)\.config\./.test(relPath) &&
125        INLINE_HEADER_SIGNALS.every((re) => re.test(body))) {
126      // Nuxt routeRules is a sub-shape of append-string; we already covered
127      // nuxt-security above via return, so any remaining Nuxt CSP match here
128      // is a route-rules / inline-headers case. Either way, same patch
129      // mechanism.
130      hits.appendString.push(relPath);
131      return;
132    }
133 
134    // === detect-only shapes ===
135 
136    if ((base === 'middleware.ts' || base === 'middleware.js' || base === 'middleware.mjs') &&
137        MIDDLEWARE_HINT.test(body)) {
138      hits.middleware.push(relPath);
139    }
140 
141    if (LAYOUT_EXTS.has(ext) && META_TAG_HINT.test(body)) {
142      hits.metaTag.push(relPath);
143    }
144  });
145 
146  // Priority: append-arrays > append-string > middleware > meta-tag.
147  // Structured patches are safer than string splices; runtime and HTML
148  // injection patches are less reliable and v1 doesn't auto-apply them.
149  if (hits.appendArrays.length > 0) {
150    return { shape: 'append-arrays', signals: hits.appendArrays };
151  }
152  if (hits.appendString.length > 0) {
153    return { shape: 'append-string', signals: hits.appendString };
154  }
155  if (hits.middleware.length > 0) {
156    return { shape: 'middleware', signals: hits.middleware };
157  }
158  if (hits.metaTag.length > 0) {
159    return { shape: 'meta-tag', signals: hits.metaTag };
160  }
161  return { shape: null, signals: [] };
162}
163 
164function walk(root, dir, depth, visit) {
165  if (depth > MAX_DEPTH) return;
166  let entries;
167  try { entries = fs.readdirSync(dir, { withFileTypes: true }); }
168  catch { return; }
169 
170  for (const entry of entries) {
171    const abs = path.join(dir, entry.name);
172    if (entry.isDirectory()) {
173      if (SKIP_DIRS.has(entry.name)) continue;
174      walk(root, abs, depth + 1, visit);
175      continue;
176    }
177    if (!entry.isFile()) continue;
178    const ext = path.extname(entry.name);
179    if (!SCAN_EXTS.has(ext) && !LAYOUT_EXTS.has(ext)) continue;
180    let body;
181    try {
182      const fd = fs.openSync(abs, 'r');
183      try {
184        const buf = Buffer.alloc(MAX_READ_BYTES);
185        const n = fs.readSync(fd, buf, 0, MAX_READ_BYTES, 0);
186        body = buf.slice(0, n).toString('utf-8');
187      } finally { fs.closeSync(fd); }
188    } catch { continue; }
189    visit(abs, path.relative(root, abs), body);
190  }
191}
192 
193// CLI mode
194const _running = process.argv[1];
195if (_running?.endsWith('detect-csp.mjs') || _running?.endsWith('detect-csp.mjs/')) {
196  const result = detectCsp(process.cwd());
197  console.log(JSON.stringify(result, null, 2));
198}
199
Preparing the source view

teach-impeccable

scripts/detect-csp.mjs
