Skip to content

feat(protect): scaffold response screening + first scaffolder tests#70

Merged
patchstackdave merged 2 commits into
mainfrom
feat/protect-scaffold-response-screening
Jul 14, 2026
Merged

feat(protect): scaffold response screening + first scaffolder tests#70
patchstackdave merged 2 commits into
mainfrom
feat/protect-scaffold-response-screening

Conversation

@patchstackdave

Copy link
Copy Markdown
Contributor

Driven by validating the real patchstack-connect protect install path against a genuine Lovable app.

Validated the scaffolder end-to-end (no bug found)

Ran the real shipped CLI (dist/cli.js protect) against a copy of the Lovable Cloud Server reference app (pristine — manual overlay removed):

  • detects the stack, scaffolds guard.ts + rules.json
  • patches client.ts (browser→Supabase tunnel) and start.ts (both guards registered first; existing attachSupabaseAuth/errorMiddleware preserved)
  • idempotent (re-run → no dupes)
  • seeding examples/protect/demo-rules.json as the fallback → 11/11 demo rows enforce through the guard's own config.

Broaden response screening

Previously the installed guard screened responses only on the Supabase-tunnel path. Now:

  • guard.ts exports screenResponse(response) — screens a web Response via the response rules; passthrough for non-Response values and on any error (fail-open, never breaks a response).
  • install.ts wires return screenResponse(await next()) into the request middleware, so SSR / non-tunnel responses are screened for leaked secrets & PII too.

Scaffolder now testable + tested

  • install.ts resolves the templates dir for both the built layout (dist/cli.jsprotect/templates) and the source layout (src/protect/templates sibling). It was dist-only, so runProtect couldn't run from source.
  • tests/protect/install.test.ts (NEW, +5): first coverage for the scaffolder — scaffold, client patch, start.ts wiring incl. response screening, idempotency, unsupported-stack skip.

390 tests pass, typecheck + build clean.

🤖 Generated with Claude Code

Broaden the installed guard beyond the Supabase-tunnel path so SSR / non-tunnel
responses are also screened for leaked secrets & PII:

- guard.ts template: export screenResponse(response) — screens a web Response via
  the protection's response rules; passthrough for non-Response values and on any
  error (fail-open, never breaks a response).
- install.ts: wire `return screenResponse(await next())` into the request
  middleware and add screenResponse to the guard import (fresh installs).
- install.ts: resolve the templates dir for BOTH the built layout (dist/cli.js →
  protect/templates) and the source layout (src/protect/ → templates sibling), so
  runProtect is exercisable from source. This was previously dist-only.
- tests/protect/install.test.ts (NEW, +5): first coverage for the scaffolder —
  scaffolds guard+rules, patches client.ts tunnel, wires both guards + response
  screening into start.ts preserving existing middleware, is idempotent, and skips
  an unsupported stack.

Validated end-to-end by running the real shipped CLI against a genuine Lovable
app copy (anchors match, idempotent, seeded demo rules enforce 11/11). 390 tests.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderbuds

coderbuds Bot commented Jul 14, 2026

Copy link
Copy Markdown

Response screening scaffolder and tests are well-structured and comprehensive.

🎯 Quality: 100% Elite · 📦 Size: Medium

📈 This month: Your 27th PR — above team average · Averaging Excellent

See how your team is trending →

@patchstackdave

Copy link
Copy Markdown
Contributor Author

/review

@patchstackdave patchstackdave merged commit 716f6ca into main Jul 14, 2026
4 checks passed
@patchstackdave patchstackdave deleted the feat/protect-scaffold-response-screening branch July 14, 2026 13:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants