From fb265c89d3450628ccdbad246b3f564261594eb2 Mon Sep 17 00:00:00 2001 From: Dave Jong Date: Wed, 15 Jul 2026 09:41:43 +0200 Subject: [PATCH 1/2] feat(protect): opt-in route-level WAF (env) + `protect --demo` sample rules MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two scaffolder features (both build on the #75 guard.ts type-safety fix, included here): Route-level WAF (env-gated, off by default): - guard.ts exports guardRequest(request) — runs the request-phase rules via fetchGuard on a cloned request and returns a 403 on a match (fail-open). - the scaffolded request middleware calls it only when PATCHSTACK_ROUTE_WAF=1, so a plain `GET /?file=../../etc/passwd` gets a 403. Opt-in because it runs broad request rules on all traffic (classic-WAF false-positive surface); the default only screens the data path. `protect --demo`: - seeds a broad, many-class sample rule set (src/protect/templates/demo-rules.json, generated from + kept in lockstep with examples/protect/demo-rules.json minus its _demo vectors) instead of the high-precision starter, and SKIPS baking a site UUID so the local sample rules stay active (a baked UUID makes the guard fetch live Pulse rules instead). - default install now writes the starter rules only if absent (no longer clobbers a customized rules.json on re-run). - disclosed in the CLI help + AGENT-INSTALL.md; PATCHSTACK_MODE / PATCHSTACK_ROUTE_WAF added to the env list. Verified: real CLI `protect --demo` seeds the 11-class bundle; route-WAF blocks a path-traversal URL (403) and allows benign; +8 scaffolder tests incl. a template/examples parity check. 416 tests. Co-Authored-By: Claude Opus 4.8 --- AGENT-INSTALL.md | 2 +- src/cli.ts | 11 +- src/protect/install.ts | 43 +++-- src/protect/templates/demo-rules.json | 238 ++++++++++++++++++++++++++ src/protect/templates/guard.ts | 14 ++ tests/protect/demo-rules.test.ts | 10 ++ tests/protect/install.test.ts | 39 +++++ 7 files changed, 341 insertions(+), 16 deletions(-) create mode 100644 src/protect/templates/demo-rules.json diff --git a/AGENT-INSTALL.md b/AGENT-INSTALL.md index 472729a..2b556bf 100644 --- a/AGENT-INSTALL.md +++ b/AGENT-INSTALL.md @@ -8,7 +8,7 @@ This versioned reference ships inside `@patchstack/connect` and documents each s - It reads the project's **dependency list only** — from the lockfile (`package-lock.json`, `pnpm-lock.yaml`, `yarn.lock`) or, on bun projects (`bun.lock`/`bun.lockb`), by enumerating the installed packages under `node_modules/` — and sends package names + versions to Patchstack for vulnerability matching. No source code, no env var values, no file paths, no git history. (`mark-build` additionally stamps built HTML with a coarse stack descriptor that may include hosting-related env variable *names* — e.g. `VERCEL`, `CF_PAGES` — never their values.) - **`scan` makes one source edit, and only after a successful post:** it adds (or updates) the disclosure widget's `