docs: create starlight docs site

Signed-off-by: Andres Correa Casablanca <[email protected]>

.gitignore

@@ -2,14 +2,31 @@
 #
 # SPDX-License-Identifier: MIT
 
+# coverage
 **/coverage/
 **/coverage-e2e/
 **/coverage-unit/
+
+# vendored dependencies
+**/node_modules/
+
+# build & cache artifacts
+**/.astro/
 **/dist/
-**/tests/playground/*.mjs
 **/generated/
-**/node_modules/
+
+# testing artifacts
+**/tests/playground/*.mjs
 
 # moon
 .moon/cache
 .moon/docker
+
+# logs
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+
+# macOS-specific files
+.DS_Store

.moon/workspace.yml

@@ -13,6 +13,7 @@ projects:
     - '@kindspells/astro-shield/e2e/fixtures/*'
   sources:
     astro-shield: '@kindspells/astro-shield'
+    docs: 'docs'
 
 vcs:
   defaultBranch: 'main'

@kindspells/astro-shield/README.md

@@ -225,15 +225,6 @@ export const perPageSriHashes =
   This means that, for now, it is advisable to add `'self'` to the `script-src`
   directive (adding `'strict-dynamic'` does not help either).
 
-## Some guarantees for peace of mind
-
-Astro generates files in a very deterministic way, which means that for both JS
-and CSS files:
-  - Their pseudo-random names are stable across different builds
-  - The files' contents do not change from build to build (unless, of course, we
-    change them on purpose), so their hashes are stable as well (this is nice
-    for hot reloading, which does not trigger the logic of this integration).
-
 ## Other Relevant Guidelines
 
 - [Code of Conduct](https://github.com/KindSpells/astro-shield?tab=coc-ov-file)

@kindspells/astro-shield/e2e/fixtures/dynamic/package.json

@@ -11,7 +11,7 @@
 	"license": "MIT",
 	"dependencies": {
 		"@astrojs/node": "^8.2.5",
-		"astro": "^4.5.10"
+		"astro": "^4.5.12"
 	},
 	"devDependencies": {
 		"@kindspells/astro-shield": "workspace:*"

@kindspells/astro-shield/e2e/fixtures/hybrid/package.json

@@ -9,7 +9,7 @@
 	"license": "MIT",
 	"dependencies": {
 		"@astrojs/node": "^8.2.5",
-		"astro": "^4.5.10"
+		"astro": "^4.5.12"
 	},
 	"devDependencies": {
 		"@kindspells/astro-shield": "workspace:*"

@kindspells/astro-shield/e2e/fixtures/hybrid2/package.json

@@ -9,7 +9,7 @@
 	"license": "MIT",
 	"dependencies": {
 		"@astrojs/node": "^8.2.5",
-		"astro": "^4.5.10"
+		"astro": "^4.5.12"
 	},
 	"devDependencies": {
 		"@kindspells/astro-shield": "workspace:*"

@kindspells/astro-shield/e2e/fixtures/hybrid3/package.json

@@ -9,7 +9,7 @@
 	"license": "MIT",
 	"dependencies": {
 		"@astrojs/node": "^8.2.5",
-		"astro": "^4.5.10"
+		"astro": "^4.5.12"
 	},
 	"devDependencies": {
 		"@kindspells/astro-shield": "workspace:*"

@kindspells/astro-shield/e2e/fixtures/static/package.json

@@ -8,7 +8,7 @@
 	},
 	"license": "MIT",
 	"dependencies": {
-		"astro": "^4.5.10"
+		"astro": "^4.5.12"
 	},
 	"devDependencies": {
 		"@kindspells/astro-shield": "workspace:*"

@kindspells/astro-shield/package.json

@@ -24,7 +24,9 @@
 	"imports": {
 		"#as/*": "./src/*"
 	},
-	"files": ["src/*"],
+	"files": [
+		"src/*"
+	],
 	"scripts": {
 		"format": "biome format --write .",
 		"lint": "moon run lint",
@@ -61,16 +63,16 @@
 	"devDependencies": {
 		"@types/node": "^20.11.30",
 		"@vitest/coverage-v8": "^1.4.0",
-		"astro": "^4.5.10",
+		"astro": "^4.5.12",
 		"typescript": "^5.4.3",
-		"vite": "^5.2.6"
+		"vite": "^5.2.7"
 	},
 	"repository": {
 		"type": "git",
-		"url": "git+https://github.com/KindSpells/astro-shield.git"
+		"url": "git+https://github.com/kindspells/astro-shield.git"
 	},
 	"homepage": "https://github.com/kindspells/astro-shield?tab=readme-ov-file#readme",
-	"bugs": "https://github.com/KindSpells/astro-shield/issues",
+	"bugs": "https://github.com/kindspells/astro-shield/issues",
 	"funding": [
 		{
 			"type": "opencollective",

README.md

@@ -193,6 +193,16 @@ export const perPageSriHashes =
       ],
     },
   })
+
+export const perResourceSriHashes = {
+	scripts: /** @type {Record<string,string>} */ ({
+		'/code.js': 'sha256-+aSouJX5t2z1jleTbCvA9DS7+ag/F4e4ZpB/adun4Sg=',
+	}),
+	styles: /** @type {Record<string,string>} */ ({
+		'/_astro/index.BA1ZV6fH.css':
+			'sha256-iwd3GNfA+kImEozakD3ZZQSZ8VVb3MFBOhJH6dEMnDE=',
+	}),
+}
 ```
 
 > [!IMPORTANT]
@@ -225,15 +235,6 @@ export const perPageSriHashes =
   This means that, for now, it is advisable to add `'self'` to the `script-src`
   directive (adding `'strict-dynamic'` does not help either).
 
-## Some guarantees for peace of mind
-
-Astro generates files in a very deterministic way, which means that for both JS
-and CSS files:
-  - Their pseudo-random names are stable across different builds
-  - The files' contents do not change from build to build (unless, of course, we
-    change them on purpose), so their hashes are stable as well (this is nice
-    for hot reloading, which does not trigger the logic of this integration).
-
 ## Other Relevant Guidelines
 
 - [Code of Conduct](https://github.com/KindSpells/astro-shield?tab=coc-ov-file)

docs/README.md

@@ -0,0 +1,3 @@
+# Astro-Shield Documentation Website
+
+Just a documentation website.

docs/astro.config.mjs

@@ -0,0 +1,65 @@
+import { defineConfig, passthroughImageService } from 'astro/config'
+import starlight from '@astrojs/starlight'
+
+// https://astro.build/config
+export default defineConfig({
+	site: 'https://astro-shield.kindspells.dev',
+	image: {
+		service: passthroughImageService(),
+	},
+	integrations: [
+		starlight({
+			title: 'Astro-Shield Docs',
+			defaultLocale: 'en',
+			locales: {
+				root: {
+					label: 'English',
+					lang: 'en',
+				},
+			},
+			social: {
+				github: 'https://github.com/kindspells/astro-shield',
+			},
+			sidebar: [
+				{
+					label: 'Start Here',
+					items: [{ label: 'Getting Started', link: '/getting-started/' }],
+				},
+				{
+					label: 'Guides',
+					items: [
+						{
+							label: 'Subresource Integrity',
+							autogenerate: {
+								directory: 'guides/subresource-integrity',
+							},
+						},
+						{
+							label: 'Security Headers',
+							autogenerate: {
+								directory: 'guides/security-headers',
+							},
+						}
+					],
+				},
+				{
+					label: 'Other',
+					items: [
+						{
+							label: 'Known Limitations',
+							link: '/other/known-limitations/',
+						},
+						{
+							label: 'Contributing',
+							link: 'https://github.com/kindspells/astro-shield/blob/main/CONTRIBUTING.md',		
+						},
+					]
+				},
+				// {
+				// 	label: 'Reference',
+				// 	autogenerate: { directory: 'reference' },
+				// },
+			],
+		}),
+	],
+})

docs/moon.yml

@@ -0,0 +1,18 @@
+# SPDX-FileCopyrightText: 2024 KindSpells Labs S.L.
+#
+# SPDX-License-Identifier: MIT
+
+type: 'application'
+platform: 'node'
+
+tasks:
+  build:
+    command: 'astro check && astro build'
+    inputs:
+      - 'public/**/*'
+      - 'src/**/*'
+      - 'astro.config.mjs'
+      - 'package.json'
+    outputs:
+      - '.astro/**/*'
+      - 'dist/**/*'

docs/package.json

@@ -0,0 +1,21 @@
+{
+	"name": "@kindspells/astro-shield-docs",
+	"type": "module",
+	"version": "1.4.0",
+	"scripts": {
+		"dev": "astro dev",
+		"start": "astro dev",
+		"build": "astro check && astro build",
+		"preview": "astro preview",
+		"astro": "astro"
+	},
+	"dependencies": {
+		"sharp": "0.32.6"
+	},
+	"devDependencies": {
+		"@astrojs/check": "^0.5.10",
+		"@astrojs/starlight": "^0.21.2",
+		"astro": "^4.5.12",
+		"typescript": "^5.4.3"
+	}
+}

docs/src/content/config.ts

@@ -0,0 +1,6 @@
+import { defineCollection } from 'astro:content';
+import { docsSchema } from '@astrojs/starlight/schema';
+
+export const collections = {
+	docs: defineCollection({ schema: docsSchema() }),
+};

docs/src/content/docs/getting-started.mdx

@@ -0,0 +1,49 @@
+---
+title: Getting Started
+description: Get started protecting your Astro sites with Astro-Shield.
+---
+
+## Introduction
+
+Astro-Shield will help you enhance the security of your Astro site by allowing
+you to apply many security best practices, such as:
+- [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)
+- [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
+
+
+## How to install
+
+import { Code, Tabs, TabItem } from '@astrojs/starlight/components';
+
+To install, run the following command in your terminal:
+
+<Tabs>
+  <TabItem label="npm">
+    <Code code="npm install --save-dev @kindspells/astro-shield" lang="bash" />
+  </TabItem>
+  <TabItem label="pnpm">
+    <Code code="pnpm add --save-dev @kindspells/astro-shield" lang="bash" />
+  </TabItem>
+  <TabItem label="yarn">
+    <Code code="yarn add --dev @kindspells/astro-shield" lang="bash" />
+  </TabItem>
+</Tabs>
+
+## Enabling the integration
+
+In your `astro.config.mjs` file, import the integration and add it to the
+integrations array:
+
+<Code
+    lang="javascript"
+    code={`
+import { defineConfig } from 'astro/config'
+import { shield } from '@kindspells/astro-shield'
+
+export default defineConfig({
+  integrations: [
+    shield({})
+  ]
+})
+`}
+/>

docs/src/content/docs/guides/security-headers/content-security-policy.mdx

@@ -0,0 +1,60 @@
+---
+title: Content-Security-Policy (CSP)
+description: How to configure the Content-Security-Policy headers of your website with Astro-Shield
+---
+
+import { Aside, Code } from '@astrojs/starlight/components';
+
+To enable the generation of Content-Security-Policy headers for your SSR
+content, you have to set the option `securityHeaders.contentSecurityPolicy` to
+a non-null object.
+
+If you want more control, then you can set other nested options, such as
+`cspDirectives`.
+
+<Code
+    lang="javascript"
+    code={`
+import { resolve } from 'node:path'
+
+import { defineConfig } from 'astro/config'
+import { shield } from '@kindspells/astro-shield'
+
+const rootDir = new URL('.', import.meta.url).pathname
+const modulePath = resolve(rootDir, 'src', 'generated', 'sriHashes.mjs')
+
+export default defineConfig({
+  integrations: [
+    shield({
+      sri: {
+        enableMiddleware: true,   // MUST be enabled!
+        hashesModule: modulePath, // SHOULD be set!
+      },
+
+      // - If set, it controls how the security headers will be generated in the
+      //   middleware.
+      // - If not set, no security headers will be generated in the middleware.
+      securityHeaders: {
+        // - If set, it controls how the CSP (Content Security Policy) header will
+        //   be generated in the middleware.
+        // - If not set, no CSP header will be generated in the middleware.
+        contentSecurityPolicy: {
+          // - If set, it controls the "default" CSP directives (they can be
+          //   overriden at runtime).
+          // - If not set, the middleware will use a minimal set of default
+          //   directives.
+          cspDirectives: {
+            'default-src': "'none'",
+          }
+        }
+      }
+    })
+  ]
+})
+`}
+/>
+
+<Aside type="caution">
+  When enabling CSP headers, you must also set the `sri.enableMiddleware` option
+  to `true`. It is also recommended to set the `sri.hashesModule` option.
+</Aside>