chore: initial commit

Author: UsernameLoad

.changeset/README.md

@@ -0,0 +1,32 @@
+# Changesets
+
+Hardened uses [changesets](https://github.com/changesets/changesets) for version management.
+
+## When you make a change worth releasing
+
+Run `pnpm changeset` and follow the prompts. This creates a markdown file in `.changeset/` describing the change. Commit it with your PR.
+
+## What counts as "worth releasing"
+
+- Any change to code in a published package (`@hardened/core`, `@hardened/rules-risk`, `hardened-runtime`, `hardened`)
+- New rules
+- Bug fixes affecting user-visible behavior
+- Documentation that users will see on npm
+
+## What does NOT need a changeset
+
+- Internal refactors with no behavior change
+- CI / tooling changes
+- Fixture updates
+- Internal-only docs
+
+## Release flow
+
+Maintainers merge changesets into `main`. When ready to release, run the `Version Packages` workflow which:
+
+1. Consumes all pending changesets
+2. Bumps package versions according to the collected changes
+3. Updates each package's `CHANGELOG.md`
+4. Opens a release PR
+
+Merging that PR publishes to npm with provenance.

.changeset/config.json

@@ -0,0 +1,15 @@
+{
+  "$schema": "https://unpkg.com/@changesets/config@3.0.0/schema.json",
+  "changelog": "@changesets/cli/changelog",
+  "commit": false,
+  "fixed": [],
+  "linked": [],
+  "access": "public",
+  "baseBranch": "main",
+  "updateInternalDependencies": "patch",
+  "ignore": [
+    "@fixtures/sample-app",
+    "@hardened/rules-config",
+    "@hardened/rules-schema"
+  ]
+}

.devcontainer/devcontainer.json

@@ -0,0 +1,31 @@
+{
+  "name": "hardened",
+  "image": "mcr.microsoft.com/devcontainers/typescript-node:1-20-bookworm",
+  "features": {
+    "ghcr.io/devcontainers/features/github-cli:1": {},
+    "ghcr.io/devcontainers/features/common-utils:2": {}
+  },
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "dbaeumer.vscode-eslint",
+        "esbenp.prettier-vscode",
+        "vitest.explorer",
+        "editorconfig.editorconfig",
+        "unifiedjs.vscode-mdx",
+        "yzhang.markdown-all-in-one"
+      ],
+      "settings": {
+        "editor.formatOnSave": true,
+        "editor.tabSize": 2,
+        "typescript.tsdk": "node_modules/typescript/lib",
+        "files.eol": "\n"
+      }
+    }
+  },
+  "postCreateCommand": "corepack enable && pnpm install && pre-commit install || true",
+  "remoteUser": "node",
+  "mounts": [
+    "source=${localWorkspaceFolderBasename}-node_modules,target=${containerWorkspaceFolder}/node_modules,type=volume"
+  ]
+}

.editorconfig

@@ -0,0 +1,18 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_style = space
+indent_size = 2
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.md]
+trim_trailing_whitespace = false
+
+[{*.yml,*.yaml}]
+indent_size = 2
+
+[Makefile]
+indent_style = tab

.gitattributes

@@ -0,0 +1,27 @@
+# Normalize line endings. Enforces LF on commit regardless of platform.
+* text=auto eol=lf
+
+# Explicit text files (make intent clear for contributors)
+*.ts        text eol=lf
+*.tsx       text eol=lf
+*.js        text eol=lf
+*.mjs       text eol=lf
+*.cjs       text eol=lf
+*.json      text eol=lf
+*.jsonc     text eol=lf
+*.yml       text eol=lf
+*.yaml      text eol=lf
+*.md        text eol=lf
+*.toml      text eol=lf
+*.sh        text eol=lf
+*.ps1       text eol=crlf
+
+# Lockfiles: text with LF endings, but mark as generated so GitHub collapses
+# them in PR diffs. Earlier we tried `-text` (binary) which prevented line-
+# ending normalization and confused pnpm's YAML parser on CI runners.
+pnpm-lock.yaml   text eol=lf linguist-generated=true
+package-lock.json text eol=lf linguist-generated=true
+yarn.lock        text eol=lf linguist-generated=true
+
+# Mark generated files so GitHub collapses them in PR diffs
+CHANGELOG.md    linguist-generated=true

.github/CODEOWNERS

@@ -0,0 +1,3 @@
+# Every PR requires review from the maintainer.
+# See https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+*       @UsernameLoad

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,59 @@
+name: Bug report
+description: Report a correctness or behavior issue with hardened.
+labels: [bug]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for filing a bug. Please include enough detail to reproduce the issue locally.
+
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: What did you run, and what did hardened do?
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: What did you expect?
+    validations:
+      required: true
+
+  - type: textarea
+    id: minimal-repro
+    attributes:
+      label: Minimal reproduction
+      description: A code snippet that triggers the issue, or a link to a public repo.
+      render: typescript
+    validations:
+      required: true
+
+  - type: input
+    id: hardened-version
+    attributes:
+      label: hardened version
+      placeholder: 0.1.0
+    validations:
+      required: true
+
+  - type: input
+    id: node-version
+    attributes:
+      label: Node version
+      placeholder: 20.11.1
+    validations:
+      required: true
+
+  - type: dropdown
+    id: os
+    attributes:
+      label: Operating system
+      options:
+        - Linux
+        - macOS
+        - Windows
+    validations:
+      required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Ask a question
+    url: https://github.com/compactbench/hardened/discussions
+    about: Please use GitHub Discussions for usage questions.
+  - name: Security concern
+    url: https://github.com/compactbench/hardened/security/advisories/new
+    about: Report vulnerabilities privately via a Security Advisory.

.github/ISSUE_TEMPLATE/rule_proposal.yml

@@ -0,0 +1,57 @@
+name: Rule proposal
+description: Propose a new rule for hardened.
+labels: [rule-proposal]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Rule proposals are reviewed against three criteria: determinism, false-positive risk, and fit with hardened's local-transform design principles (zero/near-zero config, safe to auto-apply).
+
+  - type: input
+    id: rule-id
+    attributes:
+      label: Proposed rule ID
+      description: "Format: category/kebab-case-name. Example: risk/graphql-no-timeout"
+      placeholder: category/kebab-case-name
+    validations:
+      required: true
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem
+      description: What production-reliability or correctness issue does this rule address?
+    validations:
+      required: true
+
+  - type: textarea
+    id: detection
+    attributes:
+      label: Detection strategy
+      description: What AST patterns does the rule match? Include before/after examples.
+      render: typescript
+    validations:
+      required: true
+
+  - type: textarea
+    id: fix-strategy
+    attributes:
+      label: Fix strategy
+      description: Is there a deterministic auto-fix? If not, explain why and propose finding-only.
+      render: typescript
+
+  - type: textarea
+    id: false-positive-risk
+    attributes:
+      label: False-positive risk
+      description: When might this rule fire incorrectly? How can we reduce that risk?
+    validations:
+      required: true
+
+  - type: checkboxes
+    id: determinism
+    attributes:
+      label: Determinism check
+      options:
+        - label: The proposed fix produces byte-identical output for identical input.
+          required: true

.github/dependabot.yml

@@ -0,0 +1,28 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+      timezone: "UTC"
+    open-pull-requests-limit: 5
+    groups:
+      typescript:
+        patterns:
+          - "typescript"
+          - "@types/*"
+      dev-dependencies:
+        dependency-type: "development"
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    commit-message:
+      prefix: "ci(deps)"