This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
CSP Analyser is a local developer tool that automates Content Security Policy (CSP) header generation. It headlessly browses a target website with a deny-all report-only CSP, captures all violations, and generates a minimal, correct policy ready for production deployment. Exposed as both an MCP server (for AI coding agents) and a standalone CLI.
npm run build # TypeScript compilation (tsc)
npm run typecheck # Type checking without emitting (tsc --noEmit)
npm run test # Run all tests (vitest run)
npm run test:watch # Watch mode (vitest)
npm run test:coverage # Tests with coverage (vitest run --coverage)
npm run test -- test/report-parser.test.ts # Run a single test file
npm run lint # Run ESLint (must have 0 errors)
npm run lint:fix # Auto-fix ESLint issues
npm run format # Format with Prettier
npm run format:check # Check formatting without writing
npm run start # Start MCP server (node dist/mcp-server.js)
npm run cli # Run CLI (node dist/cli.js)After completing each phase of work:
- Type Checking: Run
npm run typecheck— must pass with no errors - Tests: Run
npm run test— must pass with no errors - Git Commit: Create a descriptive commit for the phase
- Security Review: Review changes for security implications in a sub agent — what could go wrong? What data could be exposed? Is there duplicate or dead code?
- User Testing: Ask the user to test before proceeding to the next phase
Single TypeScript + Node.js project (ESM, "type": "module", target ES2022, NodeNext module resolution).
- Session Manager (
session-manager.ts) — orchestrates the full pipeline: auth → browser launch → CSP injection → crawling → violation capture → policy generation - Auth (
auth.ts) — handles authentication via storage state files, manual login, or raw cookies using Playwright - CSP Injection (
csp-injector.ts) — intercepts responses via Playwright route API to strip existing CSP headers and inject deny-all report-only CSP - Violation Capture — dual capture: DOM event listeners (
violation-listener.ts) + HTTP report endpoint (report-server.ts), parsed byreport-parser.ts - Inline Hash Extraction (
inline-content-extractor.ts) — after each page loads, extracts full inline content (<script>,<style>, event handlers,styleattributes) viapage.evaluate()and computes SHA-256 hashes stored ininline_hashestable - Crawler (
crawler.ts) — same-origin link discovery up to configurable depth/max pages - Policy Generation —
rule-builder.ts(violation → source expressions) →policy-generator.ts(aggregate + merge inline hashes) →policy-optimizer.ts(collapse todefault-src) →policy-formatter.ts(export as header/meta/nginx/apache/cloudflare/json) - MITM Proxy (
mitm-proxy.ts,cert-manager.ts) — alternative mode for non-Playwright HTTP interception
- SQLite via
better-sqlite3— schema insrc/db/schema.ts, repository insrc/db/repository.ts - Five entities:
Session,Page,Violation,Policy,InlineHash— row types usesnake_case, domain types usecamelCase - All types defined in
src/types.ts
- MCP Server (
mcp-server.ts) — exposes tools via@modelcontextprotocol/sdkover stdio transport - CLI (
cli.ts) — commands:crawl,interactive,generate,export
csp-constants.ts— CSP directive definitions, fallback map, deny-all header builderurl-utils.ts— origin extraction, wildcard domain generation, URI normalizationlogger.ts— structured logger with configurable levelsfile-utils.ts— path validation, secure file permissions
- Don't use
anyoras— make all code as type safe as possible - ESM imports must include
.jsextension (e.g.,import { foo } from './bar.js') - Database row types (
*Row) are snake_case; domain types are camelCase — conversion happens in the repository layer
internal-docs/prd.md— Product requirements document (internal, not published)internal-docs/adr/— Architecture decision records (internal, not published)docs/— VitePress documentation site (published)