From 4d2d140c3019d10d791e6ec0d70df5f08479ba23 Mon Sep 17 00:00:00 2001 From: Dave Jong Date: Wed, 15 Jul 2026 17:17:16 +0200 Subject: [PATCH 1/2] feat(protect): Express + Next.js adapters MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two new per-stack adapters on the #81 interface, dependency-free (anchor + #region markers, same approach as tanstack — no AST parser, keeping dependencies:{}). - Express: detect (express dep + an `= express()` site), scaffold the generic guard, and wire `app.use(patchstackMiddleware)` right after the app is created (import + region-marked insert, idempotent). verify() checks the guard is scaffolded + the middleware is wired. - Next.js: detect (next dep); scaffold `middleware.ts` (+ co-located patchstack.rules.json) from a new template running the request-phase guard as edge middleware. An EXISTING middleware is never overwritten — we scaffold the rules and print a plan instead. verify() checks the managed middleware + rules are present. - Registered in the orchestrator (tanstack → next → express → generic fallback); AGENT-INSTALL lists the newly auto-wired stacks. +4 tests. 451 tests pass, typecheck + build clean. Co-Authored-By: Claude Opus 4.8 --- AGENT-INSTALL.md | 2 +- src/protect/install/adapters/express.ts | 130 +++++++++++++++++++++++ src/protect/install/adapters/next.ts | 91 ++++++++++++++++ src/protect/install/index.ts | 6 +- src/protect/templates/next-middleware.ts | 35 ++++++ tests/protect/adapters.test.ts | 81 ++++++++++++++ 6 files changed, 342 insertions(+), 3 deletions(-) create mode 100644 src/protect/install/adapters/express.ts create mode 100644 src/protect/install/adapters/next.ts create mode 100644 src/protect/templates/next-middleware.ts create mode 100644 tests/protect/adapters.test.ts diff --git a/AGENT-INSTALL.md b/AGENT-INSTALL.md index 7c72d2e..0aedf7e 100644 --- a/AGENT-INSTALL.md +++ b/AGENT-INSTALL.md @@ -8,7 +8,7 @@ This versioned reference ships inside `@patchstack/connect` and documents each s - It reads the project's **dependency list only** — from the lockfile (`package-lock.json`, `pnpm-lock.yaml`, `yarn.lock`) or, on bun projects (`bun.lock`/`bun.lockb`), by enumerating the installed packages under `node_modules/` — and sends package names + versions to Patchstack for vulnerability matching. No source code, no env var values, no file paths, no git history. (`mark-build` additionally stamps built HTML with a coarse stack descriptor that may include hosting-related env variable *names* — e.g. `VERCEL`, `CF_PAGES` — never their values.) - **`scan` makes one source edit, and only after a successful post:** it adds (or updates) the disclosure widget's `