Skip to content

Security hardening: safe paths, CLI install, tests, and contributor docs#315

Open
ChrisFab16 wants to merge 8 commits into
nextlevelbuilder:mainfrom
ChrisFab16:feat/security-hardening
Open

Security hardening: safe paths, CLI install, tests, and contributor docs#315
ChrisFab16 wants to merge 8 commits into
nextlevelbuilder:mainfrom
ChrisFab16:feat/security-hardening

Conversation

@ChrisFab16
Copy link
Copy Markdown

@ChrisFab16 ChrisFab16 commented May 18, 2026
edited
Loading

Summary

Consolidated security and quality initiative for the UI/UX Pro Max skill and uipro CLI. Adds automated tests (pytest + Bun), golden characterization fixtures, non-breaking hardening for path traversal and shell invocation, optional SHA-256 verification on legacy GitHub installs, and contributor/PR documentation.

Supersedes closed PRs: #313 (Phase 0) and #314 (Phase 1) — all work is included here in one review.

No intentional behavior change for valid inputs (search, design-system generation, default uipro init).

Maintainer note (documentation)

CONTRIBUTING.md and .github/pull_request_template.md do not exist on upstream main today. This PR proposes them as suggested maintainer docs (fork workflow, PR checklist, test commands). They can be merged as-is, edited, or omitted without blocking the security/test changes.

Type of change

  • Tests only (harness + goldens)
  • Security hardening
  • Documentation

Phases delivered

Phase What changed Task IDs
0 Pytest/Bun harness, test.yml CI, Makefile, remove broken conda workflow T-001–T-005
1 Golden search fixtures, design-system snapshot, persist/CLI characterization tests T-010–T-016
2 path_utils.py — slug sanitization, path jail for --persist T-020–T-025
3 CLI extract.tsexecFile (no shell); legacy install warning T-030–T-034
4 Brand sync-brand-to-tokens.cjsexecFileSync T-040–T-041
5 shadcn component allowlist; SVG sanitize in icon generator T-050–T-052
6 SECURITY.md, CONTRIBUTING.md, PR template, plan doc T-060–T-063
Deferred Zip extract fixture test; optional release checksum verify T-033, T-035

Security fixes (review focus)

  1. --persist path traversalvalidate_name_input + resolve_under_base; writes only under design-system/<slug>/
  2. Legacy ZIP install — no shell unzip/cp strings; optional SHA-256 when release publishes SHA256SUMS or *.zip.sha256
  3. Brand token sync — no shell-interpolated node command
  4. Optional skills — shadcn name allowlist; SVG strips <script> / event handlers

How to review

  1. src/ui-ux-pro-max/scripts/path_utils.py + design_system.py persist changes
  2. cli/src/utils/extract.ts, checksum.ts, github.ts
  3. tests/python/golden/ and tests/python/security/
  4. CONTRIBUTING.md, SECURITY.md, .github/pull_request_template.md
  5. .github/workflows/test.yml

Test plan

  • pip install -e ".[test]" && make test33 Python + 15 CLI passed locally
  • pytest tests/python/golden -v
  • pytest tests/python/security -v
  • CI Test workflow green on this PR

CLI / assets sync

  • Synced cli/assets/scripts/ (design_system.py, path_utils.py) from src/ui-ux-pro-max/

Golden / snapshot tests

  • Golden baselines added in Phase 1; no ranking changes in Phase 2+

User-facing impact

  • No behavior change for normal search / template install
  • Invalid --persist project/page names now error instead of writing outside design-system/
  • --legacy install warns about unverified download; verifies checksum when maintainers publish digest files

Checklist

After merge: enable branch protection requiring the Test workflow on main.

Made with Cursor

Christopher Fabritius and others added 7 commits May 18, 2026 10:28
@cursoragent
test: Phase 0 harness, CI, and contributor PR guidelines
8012ede 
Add pytest and Bun test infrastructure with a unified Test workflow,
replacing the broken conda workflow. Introduce CONTRIBUTING.md and a
GitHub PR template so fork-based contributions stay scoped and reviewable.
Document the security hardening phased plan for follow-up work (T-001–T-005).

Co-authored-by: Cursor <cursoragent@cursor.com>
@cursoragent
docs: update security plan session state with PR-0 link
c121264 
Co-authored-by: Cursor <cursoragent@cursor.com>
@cursoragent
test: Phase 1 golden fixtures and characterization tests
d6ec4c5 
Lock search, design-system markdown, persist paths, and CLI template output
with golden JSON fixtures and snapshots. Add detect_domain table tests,
regenerate_goldens.py, and fix cli/assets resolution when running from source.

Depends on Phase 0 (PR nextlevelbuilder#313). No security hardening in this change.

Co-authored-by: Cursor <cursoragent@cursor.com>
@cursoragent
docs: link Phase 1 PR in security plan
05e7424 
Co-authored-by: Cursor <cursoragent@cursor.com>
@cursoragent
docs: single upstream PR workflow for security hardening plan
b41822f 
Document local phase-by-phase work with one PR to upstream when the
full plan is complete. Update CONTRIBUTING to match.

Co-authored-by: Cursor <cursoragent@cursor.com>
@cursoragent
fix(security): complete hardening phases 2–6 on integration branch
a7d3711 
Phase 2: path_utils safe_slug, validate_name_input, resolve_under_base;
jail design-system persist paths; security tests.

Phase 3: CLI extract via execFile (no shell); legacy install warning.

Phase 4: brand sync uses execFileSync.

Phase 5: shadcn component allowlist; SVG sanitization; icon import-safe.

Phase 6: SECURITY.md and plan completion.

33 Python + 6 CLI tests passing. Ready for single upstream PR-FINAL.

Co-authored-by: Cursor <cursoragent@cursor.com>
@cursoragent
test+fix(security): complete deferred T-033, T-035, T-041
52a3bb2 
- Add minimal-release.zip fixture and extractZip integration test
- Optional SHA-256 verify on legacy GitHub downloads when checksum assets exist
- Export runTokenCssRegeneration with execFile injection; brand-sync tests

Co-authored-by: Cursor <cursoragent@cursor.com>
@ChrisFab16
Copy link
Copy Markdown
Author

ChrisFab16 commented May 18, 2026

Maintainer note: CONTRIBUTING.md is proposed (new file)

Upstream main does not currently include CONTRIBUTING.md (or .github/pull_request_template.md). This PR suggests them as optional maintainer-facing docs alongside the security/test work—they are not prerequisites for the hardening changes.

  • CONTRIBUTING.md — fork workflow, branch naming, PR structure, make test, and cli/assets/ sync rules (derived from existing CLAUDE.md sync rules).
  • .github/pull_request_template.md — checklist for future PRs; same “take it or trim it” spirit.

If you prefer a lighter merge, you can land Phases 0–5 (tests + code) and adopt or rewrite the contributor docs separately. The README link to CONTRIBUTING.md only applies after that file is merged (or the README blurb can be dropped in review).

Happy to split doc-only commits or drop the template if you want the security PR scoped tighter.

@cursoragent
docs: note CONTRIBUTING.md is proposed new file for maintainers
c459e59 
Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ChrisFab16