feat: add bootcamp security for standalone security analysis

Completes the deterministic, LLM-free report trio. `bootcamp health` and
`bootcamp metrics` already expose their generation engines as standalone
commands; this adds the third — `bootcamp security` — over the
`analyzeSecurityPatterns` engine that powers SECURITY.md.

`bootcamp security <repo-url>` (local path or remote URL) scans the repo and
reports:
- findings (severity, file/line, remediation), most-severe-first
- protection coverage matrix (helmet/CORS/CSP, rate limiting, input
  validation, SQL-injection prevention, secret handling)
- security-relevant dependencies
- a 0-100 score + A-F grade

Flags mirror health/metrics: --json, --check/--min-score (CI gate),
--branch, --max-files (routed past root-flag collisions), --keep-temp,
--verbose.

Tests: 9 unit (DI-mocked resolve/scan/analyze; report/JSON/check both
directions/local/keep-temp/scan-failure/resolve-failure) and 3 E2E spawning
the real CLI against a fixture with detectable patterns (human report, JSON
shape incl. helmet/rate-limit detection, --check gate both directions).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: Copilot

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- `bootcamp security <repo-url>` command: a standalone, deterministic security pattern analysis for any repository (local path or remote URL) without invoking the LLM. Reports detected security findings (with severity, file/line, and remediation), protection coverage (security headers, CORS, CSP, rate limiting, input validation, SQL-injection prevention, secret handling), security-relevant dependencies, and a **0-100 score + A–F grade**. Prints a human-readable report by default, supports `--json` for scripting, and offers a CI gate via `--check`/`--min-score`. Reuses the same `analyzeSecurityPatterns` engine that powers `SECURITY.md` — completing the deterministic `health`/`metrics`/`security` trio.
 - `bootcamp metrics <repo-url>` command: a standalone, deterministic codebase-metrics report for any repository (local path or remote URL) without invoking the LLM. Surfaces language breakdown, source/test/doc/config composition, average/median file size, test-to-source ratio, size classification, top-level directory distribution, largest-file hotspots, and an **approachability score (0-100 + A–F grade)** with human-readable drivers. Prints a human-readable report by default, supports `--json` for scripting, and offers a CI gate via `--check`/`--min-score` (exits non-zero when approachability is below the threshold). Reuses the same `computeCodebaseMetrics` engine that powers `METRICS.md` — mirroring the existing `bootcamp health` command.
 - Web demo file viewer now has **Copy** and **Download** buttons: copy a generated doc's contents to the clipboard (async Clipboard API with a `document.execCommand` fallback and a timeout guard) or download it as a file, directly from the preview modal.
 - `bootcamp completion <bash|zsh|fish>` command to print a shell completion script for tab-completing subcommands, their aliases, and option flags. The completion data is derived from the live CLI definition, so it can never drift from the actual command surface; pipe it to your shell's completion directory (or `source <(bootcamp completion bash)`).

README.md

@@ -145,8 +145,8 @@ Onboarding Risk: 18/100 (A) 🟢
 | GitHub stars | 29 |
 | Generated files | 14+ |
 | Test suite | 1,000+ tests |
-| Source files | 51 TypeScript modules |
-| Test files | 76 Vitest files |
+| Source files | 52 TypeScript modules |
+| Test files | 78 Vitest files |
 | Lines of code | 13,381 TypeScript LOC (src/) |
 | Languages supported | 10+ |
 | Generation time | < 60 seconds |
@@ -508,6 +508,22 @@ bootcamp metrics ./my-repo --json
 bootcamp metrics ./my-repo --check --min-score 75
 ```
 
+### Security Analysis
+
+```bash
+# Analyze security patterns, protections, and score a repo
+bootcamp security https://github.com/owner/repo
+
+# Works on local paths too
+bootcamp security ./my-repo
+
+# Machine-readable output (findings, protections, deps, score)
+bootcamp security ./my-repo --json
+
+# CI gate: exit non-zero when the security score is below the minimum (default 70)
+bootcamp security ./my-repo --check --min-score 80
+```
+
 ### Auto-Create GitHub Issues
 
 ```bash
@@ -600,6 +616,7 @@ npm install -g @mermaid-js/mermaid-cli
 | `bootcamp docs <url>` | Analyze documentation drift (`--check`, `--fix`) |
 | `bootcamp health <url>` | Score onboarding-readiness (`--json`, `--check`, `--min-score`) |
 | `bootcamp metrics <url>` | Report codebase metrics & approachability (`--json`, `--check`, `--min-score`) |
+| `bootcamp security <url>` | Analyze security patterns & score (`--json`, `--check`, `--min-score`) |
 | `bootcamp init` | Scaffold a `.bootcamprc.json` config (`--force`, `--print`, `--style`) |
 | `bootcamp styles` | List the built-in style packs and the sections each enables (`--json`) |
 | `bootcamp doctor` | Diagnose your environment (`--json`) |

src/cli.ts

@@ -32,6 +32,7 @@ import { runHealthCommand } from "./commands/health-command.js";
 import { runInitCommand } from "./commands/init-command.js";
 import { runMainCommand } from "./commands/main-command.js";
 import { runMetricsCommand } from "./commands/metrics-command.js";
+import { runSecurityCommand } from "./commands/security-command.js";
 import { runStylesCommand } from "./commands/styles-command.js";
 import { STYLE_PACK_NAMES } from "./plugins.js";
 import { resolveOutputFormat } from "./services/config-resolution.js";
@@ -141,6 +142,17 @@ interface MetricsActionOptions {
   verbose?: boolean;
 }
 
+interface SecurityActionOptions {
+  [key: string]: unknown;
+  branch?: string;
+  check?: boolean;
+  minScore?: string;
+  json?: boolean;
+  maxFiles?: string;
+  keepTemp?: boolean;
+  verbose?: boolean;
+}
+
 interface InitActionOptions {
   [key: string]: unknown;
   force?: boolean;
@@ -416,6 +428,34 @@ program
     });
   });
 
+program
+  .command("security <repo-url>")
+  .description("Run deterministic security pattern analysis: findings, protections, and a 0-100 score (supports local paths)")
+  .option("-b, --branch <branch>", "Branch to analyze", "")
+  .option("--check", "Exit with code 1 if the security score is below --min-score (for CI)")
+  .option("--min-score <score>", "Minimum passing security score for --check (0-100)", "70")
+  .option("--json", "Output the security report as JSON for machine consumption")
+  .option("-m, --max-files <number>", "Maximum files to scan")
+  .option("--keep-temp", "Keep temporary clone directory")
+  .option("-v, --verbose", "Show detailed output")
+  .action(async (repoUrl: string, rawOpts) => {
+    const opts = getActionOptions<SecurityActionOptions>(rawOpts as Command | SecurityActionOptions);
+    // `-b/--branch` and `-m/--max-files` collide with the root command's
+    // options, which can capture them before the subcommand does. Fall back to
+    // reading the raw argv (same approach as `health`/`metrics`).
+    const branch = opts.branch || getCliFlagValue(["--branch", "-b"]) || "";
+    const maxFiles = opts.maxFiles || getCliFlagValue(["--max-files", "-m"]) || "500";
+    await runSecurityCommand(repoUrl, {
+      branch,
+      check: opts.check || false,
+      minScore: parseInt(opts.minScore || "70", 10),
+      json: opts.json || false,
+      maxFiles: parseInt(maxFiles, 10),
+      keepTemp: opts.keepTemp || false,
+      verbose: opts.verbose || false,
+    });
+  });
+
 program
   .command("init")
   .description("Scaffold a .bootcamprc.json config file in the current directory")

src/commands/security-command.ts

@@ -0,0 +1,186 @@
+import chalk from "chalk";
+import { readFile } from "fs/promises";
+import { join } from "path";
+
+import { resolveRepo, type RepoSource } from "../repo-resolver.js";
+import {
+  analyzeSecurityPatterns,
+  getSecurityGrade,
+  type SecurityAnalysis,
+  type Severity,
+} from "../security.js";
+import { scanRepositoryFiles } from "../services/clone-service.js";
+
+/** Options accepted by the `bootcamp security` command. */
+export interface SecurityCommandOptions {
+  branch?: string;
+  /** Emit the report as JSON for machine consumption. */
+  json?: boolean;
+  /** Exit non-zero when the security score is below `minScore` (CI gate). */
+  check?: boolean;
+  /** Minimum passing score for `--check` (0-100). Defaults to 70. */
+  minScore?: number;
+  /** Maximum files to scan. Defaults to 500. */
+  maxFiles?: number;
+  /** Keep the temporary clone (remote repos only). */
+  keepTemp?: boolean;
+  verbose?: boolean;
+}
+
+const SEVERITY_ICON: Record<Severity, string> = {
+  critical: "🔴",
+  high: "🟠",
+  medium: "🟡",
+  low: "🔵",
+  info: "⚪",
+};
+
+const SEVERITY_ORDER: Severity[] = ["critical", "high", "medium", "low", "info"];
+
+function scoreColor(score: number): typeof chalk.green {
+  if (score >= 80) return chalk.green;
+  if (score >= 60) return chalk.yellow;
+  return chalk.red;
+}
+
+function checkmark(value: boolean): string {
+  return value ? chalk.green("✓") : chalk.dim("·");
+}
+
+function printReport(analysis: SecurityAnalysis, repoName: string, filesScanned: number): void {
+  const grade = getSecurityGrade(analysis.score);
+  const emoji = analysis.score >= 80 ? "🟢" : analysis.score >= 60 ? "🟡" : "🔴";
+  const color = scoreColor(analysis.score);
+
+  console.log(chalk.bold("\n🔒 Security Analysis"));
+  console.log(chalk.dim(`Repository: ${repoName}`));
+  console.log(chalk.dim(`Scanned ${filesScanned} files\n`));
+
+  console.log(`${emoji} ` + color.bold(`${analysis.score}/100 (Grade: ${grade})`));
+
+  const counts = SEVERITY_ORDER.map(
+    (sev) => [sev, analysis.findings.filter((f) => f.severity === sev).length] as const
+  ).filter(([, n]) => n > 0);
+  if (counts.length > 0) {
+    console.log(
+      chalk.dim("Findings: ") +
+        counts.map(([sev, n]) => `${SEVERITY_ICON[sev]} ${n} ${sev}`).join(chalk.dim(" · "))
+    );
+  } else {
+    console.log(chalk.green("No pattern-based findings detected."));
+  }
+  console.log();
+
+  console.log(chalk.bold("Protections"));
+  console.log(
+    `  ${checkmark(analysis.headers.hasHelmet)} security headers (helmet)` +
+      `   ${checkmark(analysis.headers.hasCors)} CORS` +
+      `   ${checkmark(analysis.headers.hasCSP)} CSP`
+  );
+  console.log(
+    `  ${checkmark(analysis.hasRateLimiting)} rate limiting` +
+      `   ${checkmark(analysis.hasInputValidation)} input validation` +
+      `   ${checkmark(analysis.hasSqlInjectionPrevention)} SQL-injection prevention`
+  );
+  console.log(
+    `  ${checkmark(analysis.secretsHandling.gitignoreSecrets)} secrets git-ignored` +
+      `   ${checkmark(analysis.secretsHandling.hasEnvExample)} .env.example present`
+  );
+  console.log();
+
+  if (analysis.securityDeps.length > 0) {
+    console.log(chalk.bold("Security dependencies"));
+    for (const dep of analysis.securityDeps) {
+      console.log(`  ${chalk.cyan(dep.name)}` + (dep.purpose ? chalk.dim(` — ${dep.purpose}`) : ""));
+    }
+    console.log();
+  }
+
+  if (analysis.findings.length > 0) {
+    console.log(chalk.bold("Findings") + chalk.dim(" (most severe first)"));
+    const sorted = [...analysis.findings].sort(
+      (a, b) => SEVERITY_ORDER.indexOf(a.severity) - SEVERITY_ORDER.indexOf(b.severity)
+    );
+    for (const finding of sorted) {
+      const where = finding.file ? chalk.dim(` (${finding.file}${finding.line ? `:${finding.line}` : ""})`) : "";
+      console.log(`  ${SEVERITY_ICON[finding.severity]} ` + chalk.cyan(finding.title) + where);
+      if (finding.recommendation) {
+        console.log(chalk.dim(`      → ${finding.recommendation}`));
+      }
+    }
+    console.log();
+  }
+}
+
+/**
+ * Run the standalone `bootcamp security` command: clone/resolve the target
+ * repo, scan it, run the deterministic security pattern analysis, and report
+ * it (human or JSON). With `--check`, exits non-zero when the score is below
+ * `--min-score`. Reuses the same `analyzeSecurityPatterns` engine that powers
+ * `SECURITY.md` — mirroring `bootcamp health` and `bootcamp metrics`.
+ */
+export async function runSecurityCommand(repoUrl: string, opts: SecurityCommandOptions): Promise<void> {
+  const minScore = typeof opts.minScore === "number" && Number.isFinite(opts.minScore) ? opts.minScore : 70;
+
+  let repoSource: RepoSource;
+  try {
+    repoSource = await resolveRepo(repoUrl, process.cwd(), opts.branch || undefined);
+  } catch (error: unknown) {
+    console.error(
+      chalk.red(`Failed to resolve repository: ${error instanceof Error ? error.message : String(error)}`)
+    );
+    process.exit(1);
+    return;
+  }
+
+  let exitCode = 0;
+  try {
+    const scan = await scanRepositoryFiles(repoSource.path, opts.maxFiles ?? 500);
+    const packageJson = await readFile(join(repoSource.path, "package.json"), "utf-8")
+      .then((content) => JSON.parse(content) as Record<string, unknown>)
+      .catch(() => undefined);
+    const analysis = await analyzeSecurityPatterns(repoSource.path, scan.files, packageJson);
+    const filesScanned = scan.files.length;
+
+    if (opts.json) {
+      console.log(
+        JSON.stringify(
+          {
+            repo: repoSource.repoInfo.fullName,
+            filesScanned,
+            grade: getSecurityGrade(analysis.score),
+            ...analysis,
+          },
+          null,
+          2
+        )
+      );
+    } else {
+      printReport(analysis, repoSource.repoInfo.fullName, filesScanned);
+    }
+
+    if (opts.check && analysis.score < minScore) {
+      if (!opts.json) {
+        console.error(
+          chalk.red(`❌ Security score ${analysis.score}/100 is below the required minimum of ${minScore}.`)
+        );
+      }
+      exitCode = 1;
+    }
+  } catch (error: unknown) {
+    console.error(
+      chalk.red(`Security analysis failed: ${error instanceof Error ? error.message : String(error)}`)
+    );
+    exitCode = 1;
+  } finally {
+    if (opts.keepTemp && !repoSource.isLocal) {
+      console.log(chalk.gray(`Temporary clone kept at: ${repoSource.path}`));
+    } else {
+      await repoSource.cleanup();
+    }
+  }
+
+  if (exitCode !== 0) {
+    process.exit(exitCode);
+  }
+}

test/e2e/security-command.e2e.test.ts

@@ -0,0 +1,98 @@
+import { execFileSync } from "child_process";
+import { mkdtemp, mkdir, rm, writeFile } from "fs/promises";
+import { tmpdir } from "os";
+import { join } from "path";
+
+import { afterEach, describe, expect, it } from "vitest";
+
+import { runCli } from "./helpers.js";
+
+async function createRepo(
+  baseDir: string,
+  files: Record<string, string>
+): Promise<string> {
+  const repoDir = join(baseDir, "fixture-security-repo");
+  await mkdir(repoDir, { recursive: true });
+
+  for (const [relativePath, content] of Object.entries(files)) {
+    const fullPath = join(repoDir, relativePath);
+    await mkdir(join(fullPath, ".."), { recursive: true });
+    await writeFile(fullPath, content, "utf-8");
+  }
+
+  execFileSync("git", ["init", "-b", "main"], { cwd: repoDir, stdio: "ignore" });
+  execFileSync("git", ["config", "user.email", "test@example.com"], { cwd: repoDir, stdio: "ignore" });
+  execFileSync("git", ["config", "user.name", "Test User"], { cwd: repoDir, stdio: "ignore" });
+  execFileSync("git", ["add", "-A"], { cwd: repoDir, stdio: "ignore" });
+  execFileSync("git", ["commit", "-m", "init", "--no-gpg-sign"], { cwd: repoDir, stdio: "ignore" });
+
+  return repoDir;
+}
+
+const SECURE_FILES: Record<string, string> = {
+  "package.json": JSON.stringify(
+    {
+      name: "fixture-security-repo",
+      version: "1.0.0",
+      dependencies: { helmet: "^8.0.0", "express-rate-limit": "^8.0.0", zod: "^4.0.0" },
+    },
+    null,
+    2
+  ),
+  "README.md": "# Fixture Security Repo\n",
+  ".gitignore": ".env\nnode_modules\n",
+  ".env.example": "API_KEY=\n",
+  "src/index.ts":
+    'import helmet from "helmet";\nimport rateLimit from "express-rate-limit";\nexport const x = process.env.PORT;\n',
+};
+
+describe("security command", () => {
+  const tempDirs: string[] = [];
+
+  afterEach(async () => {
+    await Promise.all(tempDirs.map((dir) => rm(dir, { recursive: true, force: true })));
+    tempDirs.length = 0;
+  });
+
+  it("prints a human-readable security report for a local repo", async () => {
+    const tempDir = await mkdtemp(join(tmpdir(), "bootcamp-security-e2e-"));
+    tempDirs.push(tempDir);
+    const repoPath = await createRepo(tempDir, SECURE_FILES);
+
+    const result = await runCli(["security", repoPath]);
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout).toContain("Security Analysis");
+    expect(result.stdout).toContain("/100");
+    expect(result.stdout).toContain("Protections");
+  }, 60_000);
+
+  it("emits machine-readable JSON with --json", async () => {
+    const tempDir = await mkdtemp(join(tmpdir(), "bootcamp-security-e2e-"));
+    tempDirs.push(tempDir);
+    const repoPath = await createRepo(tempDir, SECURE_FILES);
+
+    const result = await runCli(["security", repoPath, "--json"]);
+    expect(result.exitCode).toBe(0);
+
+    const parsed = JSON.parse(result.stdout);
+    expect(typeof parsed.score).toBe("number");
+    expect(typeof parsed.grade).toBe("string");
+    expect(Array.isArray(parsed.findings)).toBe(true);
+    expect(parsed.headers.hasHelmet).toBe(true);
+    expect(parsed.hasRateLimiting).toBe(true);
+    expect(parsed.securityDeps.some((d: { name: string }) => d.name === "helmet")).toBe(true);
+  }, 60_000);
+
+  it("supports the --check gate (passes with a low minimum, fails with an impossible one)", async () => {
+    const tempDir = await mkdtemp(join(tmpdir(), "bootcamp-security-e2e-"));
+    tempDirs.push(tempDir);
+    const repoPath = await createRepo(tempDir, SECURE_FILES);
+
+    const passing = await runCli(["security", repoPath, "--check", "--min-score", "0"]);
+    expect(passing.exitCode).toBe(0);
+
+    const failing = await runCli(["security", repoPath, "--check", "--min-score", "101"]);
+    expect(failing.exitCode).toBe(1);
+    expect(`${failing.stdout}\n${failing.stderr}`).toContain("below the required minimum");
+  }, 60_000);
+});