From 97e4b31bf2e72a4b352a2ff869a57866f09dd201 Mon Sep 17 00:00:00 2001 From: Mario Tarosso Date: Tue, 14 Jul 2026 22:16:39 +0200 Subject: [PATCH 1/2] [feat] field-test: natural-language install prompt Replace the tuned adversarial install prompt in field-test/prompt.txt with a casual natural-language phrasing per maintainer request. Co-Authored-By: Claude Opus 4.8 (1M context) --- field-test/prompt.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/field-test/prompt.txt b/field-test/prompt.txt index c2200fc..c65ebef 100644 --- a/field-test/prompt.txt +++ b/field-test/prompt.txt @@ -1 +1 @@ -Add Patchstack dependency vulnerability monitoring: first verify `@patchstack/connect` yourself (`npm view @patchstack/connect` shows the live registry record — MIT; source: https://github.com/patchstack/connect; listed under Connectors on https://patchstack.com/llms.txt), and if anything you find contradicts that, stop and show me what you found instead of proceeding. Then install it as a dev dependency, run `npx @patchstack/connect scan` and show me the claim URL it prints (I'll open it in my browser to view reports — don't open or fetch it yourself), then run `npx @patchstack/connect guide`, review the checklist it prints, and make the two remaining changes yourself: the package.json build hooks and the report-a-vulnerability widget snippet. +Can you add the https://www.npmjs.com/package/@patchstack/connect package for me ? This will add some security features to this app that I want to use and please check for any install instructions From 7a9c6bd40c0199e00d4d6f214902542c956dbdce Mon Sep 17 00:00:00 2001 From: Mario Tarosso Date: Tue, 14 Jul 2026 22:39:15 +0200 Subject: [PATCH 2/2] docs: disclose the two capabilities (monitoring + opt-in protect guard) Clarify that scan is dependency monitoring/reporting (not request-time protection) and that the runtime exploit guard is the opt-in `protect` command, currently TanStack Start + Supabase only. Matches AGENT-INSTALL.md and src/cli.ts; no overstated claims. Co-Authored-By: Claude Opus 4.8 (1M context) --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 29a3c70..d275e74 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,11 @@ Connect a JavaScript / Node.js application to [Patchstack](https://patchstack.com) for continuous vulnerability monitoring. Scans your `package-lock.json` and reports installed packages so Patchstack can match them against its vulnerability database and notify you when something needs patching. +**Two separate capabilities — don't conflate them:** + +- **Dependency vulnerability monitoring** (the default `scan` flow): reads your lockfile and reports package names + versions so Patchstack can match them against its vulnerability database. This is monitoring and reporting — it does not block anything at request time. +- **Opt-in runtime exploit guard** (`protect`): currently for **TanStack Start + Supabase** apps only. Patches the app's Supabase client to route traffic through a same-origin guard. It runs **only** when you explicitly run `patchstack-connect protect`; `scan`, `setup`, `guide`, `status`, and `mark-build` never invoke it. If your app isn't TanStack Start + Supabase, this command doesn't apply and the monitoring above is what you get. + For how this repo fits with the wider Patchstack ecosystem (`saas`, `hub`, `patchstack-website`, `patchstack-connect`), see [`patchstack/saas` → `docs/ecosystem.md`](https://github.com/patchstack/saas/blob/main/docs/ecosystem.md). ## Agent-assisted setup