AegisJSProject · shgysk8zer0 · Jun 14, 2026 · Jun 14, 2026
@@ -1,49 +1,54 @@
-# Contributing to the project
-
-Due to Content-Security-Policy, use of `eval` and inline scripts are **prohibited**.
-Further, this project uses [native JavaScript modules](https://hacks.mozilla.org/2015/08/es6-in-depth-modules/),
-so be sure to familiarize yourself with the syntax. It also uses [classes](https://hacks.mozilla.org/2015/07/es6-in-depth-classes/)
-and many other [ES6](https://hacks.mozilla.org/category/es6-in-depth/) features,
-so you should be familiar with them.
-
-## Issues
-`ISSUE_TEMPALTE.md` will be used to pre-fill any issues created. Logs and detailed
-descriptions are extremely helpful and may be required. **DO NOT** report any
-issues relating to browser compatibility. Only modern browsers are supported, and
-it is your responsibility to deal with vendor prefixes and polyfills. The included
-polyfills are deprecated and will be moved to another repository. I suggest that
-you look into [Polyfill.io](https://polyfill.io).
-
-## Pull requests
-Please use an open issue and reference that issue in the pull request, as suggested
-in `PULL_REQUEST_TEMPLATE.md` (will be pre-filled when opening a pull request).
-When you open a pull request, it **MUST** pass test/linting or it cannot be merged.
-
-It is also suggested that you label your branches according to the issue and label,
-so a bug reported in issue 14 becomes a branch named `bug/14` and a feature requested
-in issue 42 becomes `feature/42`. Do not work directly on master branch, as your
-pull request may not end up being accepted, causing your fork to divert.
-
-## Testing
-All JavaScript **MUST** pass Eslint according to the rules defined in `.eslintrc`
-and have an extension of `.js`. Tests are run using either `eslint` command directly
-or by running `npm test`.
-
-### Linting rules
-- Single quotes
-- Semicolons required
-- Indent using tabs (align using spaces)
-- No `require` function. This uses native modules only
-
-> Tabs require fewer characters and can be adjusted by altering tab width. A developer
-> can increase/decrease indentation just by altering tab width, without making
-> any changes to the code itself. Since spaces are still to be used for alignment,
-> I see zero benefit to using 2 or 4 space characters instead of a single tab.
-
-Since this project minifies and packages all JavaScript using Babel & Webpack,
-all script **MUST NOT** execute any code, but only import/export functions,
-classes, etc. Modules which do not export anything, however, are the only exception
-to this rule.
-
-The simple rule is: if it exports, it **MUST NOT** have side effects. If it has
-side effects, it **MUST NOT** export.
+# Contributing Guidelines
+
+Thank you for your interest in contributing. This project enforces strict standards regarding code architecture, security, and contribution hygiene to keep the codebase maintainable and safe.
+
+Please read this document carefully before writing any code. Contributions that do not adhere to these guidelines will be closed without review.
+
+---
+
+## 1. Contribution Workflow
+
+### Contact the Maintainer First
+Do not write a large feature or refactor blindly. **You must contact the maintainer to discuss your idea before opening any code changes.** ### Issue Reference Required
+* **No unsolicited Pull Requests:** Every PR must reference an already existing, open issue that you have been assigned to.
+* PRs opened without a linked issue or prior discussion will be closed immediately. This avoids wasted effort on features or fixes that do not align with the project roadmap.
+
+---
+
+## 2. Code Style & Architecture
+
+Our linting and formatting rules are strict. Your code must fully pass our `.editorconfig` and ESLint validations before it will be considered for merging.
+
+* **Tabs vs. Spaces:** Use **Tabs** for indentation. Spaces are strictly reserved for multi-line visual alignment. Tabs ensure proper accessibility, allowing developers to customize their indentation width in their own editors.
+* **Semicolons:** Semicolons are **required**. Do not omit them.
+* **Quotes:** Use `'single quotes'` for strings unless template literals are functionally required.
+* **Module System:** This is an ES Modules (ESM) codebase. Use standard `import` and `export` syntax. CommonJS `require()` or `module.exports` are **strictly forbidden**.
+
+---
+
+## 3. Strict Security, CSP, and Trusted Types
+
+This project operates under highly restrictive runtime environments. Code must conform perfectly to strict Content Security Policies (CSP) and **Trusted Types**.
+
+To maintain compliance, the following are completely banned:
+* **No Dynamic Execution:** Absolute ban on `eval()`, `new Function()`, or passing strings to `setTimeout`/`setInterval`.
+* **No Unsafe DOM Manipulation:** Never use `.innerHTML`, `.outerHTML`, or `document.write()`. All DOM manipulations must use safe, explicit APIs like `createElement`, `textContent`, or secure Trusted Types policies.
+* **No Inline Styles:** Do not inject inline `<style>` tags or dynamic `style` attribute strings that violate CSP style-src directives.
+
+---
+
+## 4. Generative AI Policy
+
+We maintain a nuanced but strict policy regarding the use of Large Language Models (LLMs) and AI tools (such as ChatGPT, Claude, or GitHub Copilot) in this repository.
+
+### 🚫 What is BANNED
+* **AI-Generated Issues:** Do not use AI to write or submit bug reports or feature requests. This prevents the spam of hallucinated issues that waste maintainer triage time.
+* **AI-Generated Logic/PRs:** Pull Requests containing core logic, code architectures, or complex PR descriptions generated by AI will be rejected.
+
+### ⚠️ What is PERMITTED
+* Using AI assistance for purely structural or auxiliary tasks is acceptable. This includes generating **JSDoc documentation**, markdown syntax formatting, or scaffolding basic boilerplate wrappers around human-authored logic.
+
+### Why we enforce this
+1. **Spam Mitigation:** Automated prompting leads to high-volume, low-quality issue queues and code submissions that burn out open-source maintainers.
+2. **Legal & Licensing Integrity:** The legal status of LLMs trained on data with differing or proprietary source licenses remains highly ambiguous. We require absolute certainty regarding the provenance and licensing of code entering this repository.
+3. **Developer Growth:** Open-source projects should serve as a playground for junior developers to grow their programming literacy and problem-solving skills. Over-reliance on prompting creates a barrier to understanding the source code intimately. We want your human engineering, not your prompt engineering.
@@ -0,0 +1,10 @@
+# Security Policy
+
+## Reporting a Vulnerability
+Please do not report security vulnerabilities via public GitHub issues or pull requests.
+
+Instead, please use the native **Private Vulnerability Reporting** feature on this repository:
+1. Navigate to the main page of the repository.
+2. Click the **Security** tab.
+3. On the left sidebar, click **Vulnerabilities**.
+4. Click **Report a vulnerability** to submit a private report.
@@ -5,6 +5,9 @@
 # or to provide custom queries or build logic.
 name: "CodeQL"
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [master]
@@ -20,8 +23,9 @@ jobs:
     runs-on: ubuntu-latest
 
     permissions:
-      # required for all workflows
-      security-events: write
+      actions: read          # Required for CodeQL to look at repository status
+      contents: read         # Required for actions/checkout to clone the code
+      security-events: write # Required to upload the security scan results to GitHub
 
     strategy:
       fail-fast: false
@@ -51,7 +55,7 @@ jobs:
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file. 
+        # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 

@@ -6,6 +6,8 @@ on:
       - 'v*'
 
 name: Create GitHub Release
+permissions:
+  contents: write
 
 jobs:
   build:

@@ -1,5 +1,7 @@
 ---
 name: Node CI
+permissions:
+  contents: read
 on:
   push:
     branches:
@@ -11,15 +13,16 @@ on:
       - release/*
 jobs:
   build:
+    permissions:
+      contents: read
     name: Node CI
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v6
     - uses: actions/setup-node@v6
       with:
         node-version-file: '.nvmrc'
-        # `cache: npm` seems to require a `package-lock.json` file
-        # cache: npm
-    - run: npm i
+        cache: npm
+    - run: npm ci --ignore-scripts --no-audit --no-fund --strict-allow-scripts
     - run: npm run build --if-present
     - run: npm test
@@ -1,5 +1,7 @@
 ---
 name: Create and publish a packages to npm
+permissions:
+  contents: read
 on:
   push:
     # Sequence of patterns matched against refs/tags
@@ -25,11 +27,11 @@ jobs:
           cache: npm
           registry-url: https://registry.npmjs.org
       - name: Install dependencies
-        run: npm ci --no-audit --no-fund
+        run: npm ci --no-audit --no-fund --strict-allow-scripts
       - name: Run tests
         run: npm test
       - name: Build Package
         run: npm run build --if-present
       - name: Publish to npm
-        run: npm publish --provenance --access public
+        run: npm stage publish --provenance --access public
 
@@ -6,6 +6,9 @@
 ###########################
 name: Lint Code Base
 
+permissions:
+  contents: read
+
 #
 # Documentation:
 # https://help.github.com/en/articles/workflow-syntax-for-github-actions
@@ -34,10 +37,6 @@ on:
 ###############
 jobs:
   build:
-    strategy:
-      fail-fast: false
-      # matrix:
-      #   language:
     # Name the Job
     name: Lint Code Base
     # Set the agent to run on

@@ -0,0 +1,4 @@
+strict-allow-scripts=true
+allow-git=none
+allow-remote=none
+allow-file=none
@@ -1 +1 @@
-24.10.0
+26.3.0
@@ -7,6 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v0.4.0] - 2026-06-14
+
+### Added
+- Add Security policy
+- Add npm config to harden installs
+
+### Changed
+- Update Workflows with permissions
+- Update contributiing guidelines
+- Update to node 26.3.0 & npm 11.16.0
+
 ## [v0.3.4] - 2026-05-28
 
 ### Added
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,6 +6,8 @@ on: @@
           - 'v*'
     name: Create GitHub Release
+    permissions:
+      contents: write
     jobs:
       build:
@@ Expand Down @@