Polish and publish 1.0.4 release

Author: Evan1108-Coder

.github/workflows/ci.yml

@@ -11,6 +11,9 @@ concurrency:
   group: ci-${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     name: Build & test (Node ${{ matrix.node }})

.gitignore

@@ -5,12 +5,18 @@ dist/
 !.env.example
 !.env.template
 .env.local
+.envrc
 *.tgz
 .npmrc
 *.pem
 *.key
 *.p12
 *.crt
+*.token
+*.credentials.json
+secrets.json
+secrets.local.json
+.secrets/
 .DS_Store
 coverage/
 .setupr/

CHANGELOG.md

@@ -2,6 +2,15 @@
 
 All notable changes to Setupr will be documented in this file. Setupr keeps a changelog because it is a versioned developer tool with user-facing CLI behavior.
 
+## 1.0.4
+
+### Changed
+- Promoted the public README from beta language to stable-release language now that the npm package, install flow, and release checks are in place.
+- Hardened repository ignore rules for additional local secret and credential file patterns that should never be committed during real-world CLI use.
+
+### Validation
+- Re-ran the full release gate: unit tests, typecheck, lint, build, plain and TUI smoke fixtures, `release check`, npm pack/publish dry-runs, and fresh-install execution from the packed tarball.
+
 ## 1.0.3
 
 ### Fixed

README.md

@@ -2,7 +2,7 @@
 
 > **AI-powered project-control CLI.** Setupr detects your project's stack, plans setup, installs dependencies, configures environments, verifies local health, and keeps the project running — all from one terminal-native command.
 
-![Status](https://img.shields.io/badge/status-beta-6b7280) ![License](https://img.shields.io/github/license/Evan1108-Coder/Setupr) ![Node](https://img.shields.io/badge/node-%3E%3D18-3c873a) ![npm](https://img.shields.io/badge/npm-%40evan--coder%2Fsetupr-cb3837)
+![Status](https://img.shields.io/badge/status-stable-2563eb) ![License](https://img.shields.io/github/license/Evan1108-Coder/Setupr) ![Node](https://img.shields.io/badge/node-%3E%3D18-3c873a) ![npm](https://img.shields.io/badge/npm-%40evan--coder%2Fsetupr-cb3837)
 
 **TypeScript CLI · stack detection · setup automation · project doctor · terminal dashboard · AI director**
 
@@ -21,7 +21,7 @@
 | **CI / scripts** | add `--plain` (no TUI) and `--force` (skip safe prompts); `--json` for machine-readable output |
 | **Requires** | Node.js ≥ 18, a Unicode-capable terminal |
 
-> **Status: beta.** Setupr is usable as a daily CLI today. Stack-specific setup paths keep getting real-world coverage before a 1.0-stable claim.
+> **Status: stable public release.** Setupr is ready for npm installation and normal daily CLI use on supported terminals and Node versions.
 
 **Who it's for:** developers who clone projects often and don't want to manually guess install commands, runtime versions, env files, ports, or verification steps.
 

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@evan-coder/setupr",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "description": "Intelligent project setup & management CLI. Auto-detects your stack, installs dependencies, configures environments, and keeps projects healthy.",
   "type": "module",
   "repository": {

package.json

@@ -143,6 +143,7 @@ async function runSingle(cwd: string, category: SecurityCategory, options: Secur
 async function scanSecrets(cwd: string, depth: "quick" | "deep"): Promise<SecurityFinding[]> {
   const findings: SecurityFinding[] = [];
   for (const file of await listFiles(cwd, depth === "quick" ? 120 : 500)) {
+    if (isNonProductionPath(file)) continue;
     if (!/\.(env|js|jsx|ts|tsx|py|go|rs|json|ya?ml|toml|md|txt|sh)$/i.test(file)) continue;
     const content = await readFile(join(cwd, file), "utf-8").catch(() => "");
     const lines = content.split(/\r?\n/);
@@ -233,14 +234,15 @@ async function scanDeps(cwd: string): Promise<SecurityFinding[]> {
 async function scanCode(cwd: string, depth: "quick" | "deep"): Promise<SecurityFinding[]> {
   const findings: SecurityFinding[] = [];
   for (const file of await listFiles(cwd, depth === "quick" ? 150 : 700)) {
+    if (isNonProductionPath(file)) continue;
     if (!/\.[jt]sx?$|\.py$|\.go$|\.rs$/i.test(file)) continue;
     const content = await readFile(join(cwd, file), "utf-8").catch(() => "");
     const checks: Array<[RegExp, string, SecuritySeverity, string]> = [
       [/\beval\s*\(|new Function\s*\(/, "Dynamic code execution", "high", "Avoid eval/new Function on user-controlled data."],
       [/child_process\.(exec|execSync)\s*\(/, "Shell execution", "medium", "Prefer spawn/execFile with argument arrays and validate inputs."],
       [/jwt\.sign\([^)]*['"]none['"]|algorithm\s*:\s*['"]none['"]/, "JWT none algorithm", "critical", "Never allow unsigned JWTs."],
       [/secure\s*:\s*false|httpOnly\s*:\s*false/, "Weak cookie option", "medium", "Use secure and httpOnly cookies for sessions."],
-      [/md5|sha1/i, "Weak hash usage", "low", "Use modern password hashing or SHA-256+ for non-password integrity."],
+      [/\b(createHash\s*\(\s*['"](?:md5|sha1)['"]|md5\s*\(|sha1\s*\()/i, "Weak hash usage", "low", "Use modern password hashing or SHA-256+ for non-password integrity."],
     ];
     for (const [pattern, title, severity, recommendation] of checks) {
       const line = content.split(/\r?\n/).findIndex((row) => pattern.test(row));
@@ -253,10 +255,27 @@ async function scanCode(cwd: string, depth: "quick" | "deep"): Promise<SecurityF
 async function scanRoutes(cwd: string): Promise<SecurityFinding[]> {
   const findings: SecurityFinding[] = [];
   for (const file of await listFiles(cwd, 500)) {
+    if (isNonProductionPath(file)) continue;
     if (!/\.[jt]sx?$|\.py$/i.test(file)) continue;
     const content = await readFile(join(cwd, file), "utf-8").catch(() => "");
-    if (/(\/admin|\/internal|\/debug)/i.test(content) && !/(auth|authorize|session|permission|requireUser|middleware)/i.test(content)) {
-      findings.push(finding(`route-admin:${file}`, "Sensitive route without nearby auth signal", "routes", "medium", file, "Confirm this route is protected by middleware or explicit authorization."));
+    const lines = content.split(/\r?\n/);
+    const line = lines.findIndex((row) => (
+      /(\/admin|\/internal|\/debug)/i.test(row)
+      && /(router|app\.|route|handler|pathname|href|redirect|rewrite|navigate|fetch|axios|\bGET\b|\bPOST\b|\bPUT\b|\bPATCH\b|\bDELETE\b)/i.test(row)
+      && !/(auth|authorize|session|permission|requireUser|middleware)/i.test(row)
+    ));
+    if (line >= 0) {
+      findings.push({
+        id: `route-admin:${file}:${line + 1}`,
+        title: "Sensitive route without nearby auth signal",
+        category: "routes",
+        severity: "medium",
+        confidence: "medium",
+        file,
+        line: line + 1,
+        evidence: redact(lines[line]),
+        recommendation: "Confirm this route is protected by middleware or explicit authorization.",
+      });
     }
   }
   return findings;
@@ -265,10 +284,23 @@ async function scanRoutes(cwd: string): Promise<SecurityFinding[]> {
 async function scanAuth(cwd: string): Promise<SecurityFinding[]> {
   const findings: SecurityFinding[] = [];
   for (const file of await listFiles(cwd, 400)) {
+    if (isNonProductionPath(file)) continue;
     if (!/\.[jt]sx?$|\.py$/i.test(file)) continue;
     const content = await readFile(join(cwd, file), "utf-8").catch(() => "");
-    if (/password/i.test(content) && /==|===/.test(content) && !/hash|bcrypt|argon|scrypt/i.test(content)) {
-      findings.push(finding(`auth-password-compare:${file}`, "Plain password comparison signal", "auth", "high", file, "Use a password hashing library and constant-time verification."));
+    const lines = content.split(/\r?\n/);
+    const line = lines.findIndex((row) => /password/i.test(row) && /(===|==)/.test(row) && !/hash|bcrypt|argon|scrypt/i.test(row));
+    if (line >= 0) {
+      findings.push({
+        id: `auth-password-compare:${file}:${line + 1}`,
+        title: "Plain password comparison signal",
+        category: "auth",
+        severity: "high",
+        confidence: "medium",
+        file,
+        line: line + 1,
+        evidence: redact(lines[line]),
+        recommendation: "Use a password hashing library and constant-time verification.",
+      });
     }
   }
   return findings;
@@ -382,7 +414,13 @@ function markdown(report: SecurityReport): string {
 async function applyIgnores(cwd: string, findings: SecurityFinding[]): Promise<SecurityFinding[]> {
   const ignored = new Set(await readProjectJson<string[]>(cwd, SECURITY_IGNORE_FILE, []));
   const baseline = new Set(await readProjectJson<string[]>(cwd, SECURITY_BASELINE_FILE, []));
-  return findings.filter((finding) => !ignored.has(finding.id) && !baseline.has(finding.id));
+  const seen = new Set<string>();
+  return findings.filter((finding) => {
+    const dedupeKey = [finding.category, finding.title, finding.file || "", finding.line || 0].join(":");
+    if (seen.has(dedupeKey)) return false;
+    seen.add(dedupeKey);
+    return !ignored.has(finding.id) && !baseline.has(finding.id);
+  });
 }
 
 async function listFiles(cwd: string, max: number): Promise<string[]> {
@@ -407,6 +445,10 @@ async function listFiles(cwd: string, max: number): Promise<string[]> {
   return files;
 }
 
+function isNonProductionPath(file: string): boolean {
+  return /(^|\/)(test|tests|__tests__|__mocks__|fixtures|fixture|examples|example|docs)(\/|$)/i.test(file);
+}
+
 function finding(id: string, title: string, category: SecurityCategory, severity: SecuritySeverity, evidence: string, recommendation: string): SecurityFinding {
   return { id, title, category, severity, confidence: "medium", evidence, recommendation };
 }

src/security/index.ts

@@ -1,5 +1,5 @@
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { mkdtemp, readFile, rm, writeFile } from "fs/promises";
+import { mkdir, mkdtemp, readFile, rm, writeFile } from "fs/promises";
 import { existsSync } from "fs";
 import { join } from "path";
 import { tmpdir } from "os";
@@ -104,6 +104,22 @@ describe("verification and security command groups", () => {
     expect(status.health.checks.some((check) => check.label === "Security")).toBe(true);
   });
 
+  it("ignores test fixtures for code heuristics and only reports real app auth issues", async () => {
+    await writeFile(join(tempDir, "package.json"), JSON.stringify({ scripts: { test: "node -e \"console.log('ok')\"" } }, null, 2));
+    await writeFile(join(tempDir, "app.ts"), "const password = input === passwordInput;\n");
+    await mkdir(join(tempDir, "tests"), { recursive: true });
+    await mkdir(join(tempDir, ".github", "workflows"), { recursive: true });
+    await writeFile(join(tempDir, "tests", "security.test.ts"), "eval('1+1'); const password = input === passwordInput;\n");
+    await writeFile(join(tempDir, ".github", "workflows", "ci.yml"), "name: ci\non: push\npermissions:\n  contents: read\n");
+
+    const report = await runSecurityCommand(tempDir, "deep", {});
+
+    expect(report?.findings.some((finding) => finding.title === "Plain password comparison signal" && finding.file === "app.ts")).toBe(true);
+    expect(report?.findings.some((finding) => finding.file?.includes("tests/security.test.ts"))).toBe(false);
+    expect(report?.findings.some((finding) => finding.title === "Dynamic code execution")).toBe(false);
+    expect(report?.findings.some((finding) => finding.title === "GitHub workflow has no explicit permissions block")).toBe(false);
+  });
+
   it("routes CLI test/security commands through the plain command router", async () => {
     await writeFile(join(tempDir, "package.json"), JSON.stringify({ scripts: { test: "node -e \"console.log('ok')\"" } }));