chore(deps): bump path-to-regexp from 8.3.0 to 8.4.0

.env.example

@@ -0,0 +1,40 @@
+# Firmis Scanner Configuration
+# Copy to .env.local and fill in your values
+
+# ============================================================================
+# Firmis Cloud (Optional)
+# ============================================================================
+# Get your API key from https://dashboard.firmis.cloud
+# Leave empty to use scanner in offline mode (fully functional)
+
+FIRMIS_API_KEY=
+
+# Cloud endpoint (default: production)
+# FIRMIS_CLOUD_ENDPOINT=https://api.firmis.cloud
+
+# ============================================================================
+# Telemetry (Optional, Opt-in)
+# ============================================================================
+# Enable anonymous telemetry to contribute to collective threat intelligence
+# All data is anonymized - no file paths, code snippets, or identifiers sent
+
+FIRMIS_TELEMETRY_ENABLED=false
+
+# Telemetry endpoint (default: production)
+# FIRMIS_TELEMETRY_ENDPOINT=https://telemetry.firmis.cloud
+
+# ============================================================================
+# Cache Settings
+# ============================================================================
+# Cache cloud responses locally for performance
+
+FIRMIS_CACHE_TTL=3600
+FIRMIS_CACHE_DIR=~/.firmis/cache
+
+# ============================================================================
+# Development / Testing
+# ============================================================================
+# Use staging endpoints for development
+
+# FIRMIS_CLOUD_ENDPOINT=https://api-staging.firmis.cloud
+# FIRMIS_TELEMETRY_ENDPOINT=https://telemetry-staging.firmis.cloud

.firmisignore.example

@@ -0,0 +1,68 @@
+# Firmis Scanner Ignore File
+#
+# This file allows you to suppress specific findings from the Firmis Scanner.
+# You can place this file in:
+#   1. Project root (.firmisignore)
+#   2. Home directory (~/.firmis/.firmisignore)
+#
+# Format:
+#   - Lines starting with # are comments
+#   - Blank lines are ignored
+#   - Rule IDs (e.g., exfil-001, sus-006)
+#   - File patterns using glob syntax (e.g., **/docs/**, *.md)
+#   - Rule:pattern combos (e.g., sus-006:**/crypto/**)
+
+# ============================================================
+# Examples
+# ============================================================
+
+# Ignore specific rules globally
+# exfil-001
+# sus-006
+
+# Ignore all findings in documentation
+# **/docs/**
+# **/README.md
+# **/*.md
+
+# Ignore all findings in test files
+# **/test/**
+# **/__tests__/**
+# **/*.test.ts
+# **/*.spec.ts
+
+# Ignore all findings in examples
+# **/examples/**
+# **/samples/**
+
+# Ignore specific rules in specific locations
+# sus-006:**/crypto-skills/**      # Allow crypto patterns in crypto skills
+# cred-004:**/test/**               # Allow test credentials in test files
+# exfil-001:**/examples/**          # Allow network calls in examples
+
+# Ignore all findings in vendored/third-party code
+# **/node_modules/**
+# **/vendor/**
+# **/third-party/**
+
+# ============================================================
+# Common Use Cases
+# ============================================================
+
+# False Positive: Legitimate crypto operations in wallet skills
+# sus-006:**/wallet/**
+# sus-007:**/wallet/**
+
+# False Positive: Test files with mock credentials
+# cred-001:**/test/**
+# cred-002:**/test/**
+# cred-003:**/test/**
+# cred-004:**/test/**
+
+# False Positive: Documentation with example API keys
+# cred-001:**/docs/**
+# cred-002:**/docs/**
+
+# False Positive: Network calls in legitimate API integration skills
+# exfil-001:**/api-integrations/**
+# sus-003:**/api-integrations/**

.github/ISSUE_TEMPLATE/bug_report.md

@@ -22,7 +22,7 @@ What actually happened.
 ## Environment
 - OS: [e.g., macOS 14.0, Ubuntu 22.04]
 - Node.js version: [e.g., 20.10.0]
-- Firmis Scanner version: [e.g., 1.0.0]
+- Firmis version: [e.g., 2.0.1]
 - Platform being scanned: [e.g., Claude Skills, MCP Servers]
 
 ## Additional Context

.github/workflows/ci.yml

@@ -16,16 +16,16 @@ jobs:
         node-version: [20, 22]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: ${{ matrix.node-version }}
           cache: 'npm'
 
       - name: Install dependencies
-        run: npm ci
+        run: npm ci --ignore-scripts
 
       - name: Type check
         run: npm run typecheck
@@ -40,7 +40,7 @@ jobs:
         run: npm run build
 
       - name: Upload coverage
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
         if: matrix.node-version == 20
         with:
           files: ./coverage/coverage-final.json
@@ -50,23 +50,26 @@ jobs:
     needs: test
     runs-on: ubuntu-latest
     if: github.event_name == 'release'
+    permissions:
+      contents: read
+      id-token: write
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20
           registry-url: 'https://registry.npmjs.org'
 
       - name: Install dependencies
-        run: npm ci
+        run: npm ci --ignore-scripts
 
       - name: Build
         run: npm run build
 
       - name: Publish to npm
-        run: npm publish
+        run: npm publish --provenance
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/deploy-docs.yml

@@ -0,0 +1,36 @@
+name: Deploy Docs
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'docs-site/**'
+      - 'rules/**'
+  workflow_dispatch:
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      deployments: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        working-directory: docs-site
+        run: npm ci --ignore-scripts
+
+      - name: Build docs
+        working-directory: docs-site
+        run: npm run build
+
+      - name: Deploy to Cloudflare Pages
+        env:
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+        run: npx wrangler pages deploy docs-site/dist --project-name=firmis-docs

.github/workflows/update-readme.yml

@@ -0,0 +1,40 @@
+name: Update README Stats
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'rules/*.yaml'
+      - 'package.json'
+      - 'src/scanner/platforms/**'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  update-readme:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Update README stats
+        run: bash scripts/update-readme.sh
+
+      - name: Check for changes
+        id: changes
+        run: |
+          if git diff --quiet README.md; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Commit and push
+        if: steps.changes.outputs.changed == 'true'
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add README.md
+          git commit -m "docs: auto-update README stats"
+          git push

.gitignore

@@ -31,9 +31,22 @@ npm-debug.log*
 .cache/
 .firmis/
 
+# Claude Code
+.claude/
+
 # Temporary
 tmp/
 temp/
 
-# Test fixtures (local testing only)
-test/fixtures/
+# Test fixture secrets (fake credentials for testing — never real)
+test/fixtures/**/.env
+!test/fixtures/**/.env.example
+*.tgz
+supabase/.temp/
+
+# QA test artifacts
+.qa-reports/
+
+# Generated scan reports
+firmis-report-*.html
+dashboard/firmis-report-*.html