chore: create security.txt (#878)

Adding a security.txt file enables security researchers to quickly and
easily see where they can submit security issues and know that they are
being taken serious. From the proposal website:

> "When security risks in web services are discovered by independent
security researchers who understand the severity of the risk, they often
lack the channels to disclose them properly. As a result, security
issues may be left unreported. security.txt defines a standard to help
organizations define the process for security researchers to disclose
security vulnerabilities securely.”

See also https://securitytxt.org

.husky/pre-commit

@@ -1,4 +1,16 @@
 #!/usr/bin/env sh
 . "$(dirname -- "$0")/_/husky.sh"
 
+SCRIPT_DIR="$(readlink -f "$(dirname "$0")")"
+MONOREPO_ROOT="$(readlink -f "$SCRIPT_DIR/../")"
+
+echo "Copying pdf.js"
+npm run copy:pdfjs --workspace apps/**
+
+echo "Copying .well-known/ contents"
+node "$MONOREPO_ROOT/scripts/copy-wellknown.cjs"
+
+git add "$MONOREPO_ROOT/apps/web/public/"
+git add "$MONOREPO_ROOT/apps/marketing/public/"
+
 npx lint-staged

.well-known/security.txt

@@ -0,0 +1,7 @@
+# General Issues
+Contact: https://github.com/documenso/documenso/issues/new?assignees=&labels=bug&projects=&template=bug-report.yml
+
+# Report critical issues privately to let us take appropriate action before publishing.
+Contact: mailto:security@documenso.com
+Preferred-Languages: en
+Canonical: https://documenso.com/.well-known/security.txt

apps/marketing/public/.well-known/security.txt

@@ -0,0 +1,7 @@
+# General Issues
+Contact: https://github.com/documenso/documenso/issues/new?assignees=&labels=bug&projects=&template=bug-report.yml
+
+# Report critical issues privately to let us take appropriate action before publishing.
+Contact: mailto:security@documenso.com
+Preferred-Languages: en
+Canonical: https://documenso.com/.well-known/security.txt

apps/web/public/.well-known/security.txt

@@ -0,0 +1,7 @@
+# General Issues
+Contact: https://github.com/documenso/documenso/issues/new?assignees=&labels=bug&projects=&template=bug-report.yml
+
+# Report critical issues privately to let us take appropriate action before publishing.
+Contact: mailto:security@documenso.com
+Preferred-Languages: en
+Canonical: https://documenso.com/.well-known/security.txt

lint-staged.config.cjs

@@ -1,7 +1,7 @@
 /** @type {import('lint-staged').Config} */
 module.exports = {
-  '**/*.{ts,tsx,cts,mts}': (files) => `eslint --fix ${files.join(' ')}`,
+  '**/*.{ts,tsx,cts,mts}': (files) => files.map((file) => `eslint --fix ${file}`),
-  '**/*.{js,jsx,cjs,mjs}': (files) => `prettier --write ${files.join(' ')}`,
+  '**/*.{js,jsx,cjs,mjs}': (files) => files.map((file) => `prettier --write ${file}`),
-  '**/*.{yml,mdx}': (files) => `prettier --write ${files.join(' ')}`,
+  '**/*.{yml,mdx}': (files) => files.map((file) => `prettier --write ${file}`),
   '**/*/package.json': 'npm run precommit',
 };

scripts/copy-pdfjs.cjs

@@ -8,4 +8,5 @@ const pdfjsDistPath = path.dirname(require.resolve('pdfjs-dist/package.json'));
 
 const pdfWorkerPath = path.join(pdfjsDistPath, 'build', 'pdf.worker.min.js');
 
+console.log(`Copying pdf.js to: ${path.resolve('./public/pdf.worker.min.js')}`);
 fs.copyFileSync(pdfWorkerPath, './public/pdf.worker.min.js');

scripts/copy-wellknown.cjs

@@ -0,0 +1,16 @@
+#!/usr/bin/env node
+
+/* eslint-disable @typescript-eslint/no-var-requires */
+const path = require('path');
+const fs = require('fs');
+
+const wellKnownPath = path.join(__dirname, '../.well-known');
+
+console.log('Copying .well-known/ contents to apps');
+fs.cpSync(wellKnownPath, path.join(__dirname, '../apps/web/public/.well-known'), {
+  recursive: true,
+});
+
+fs.cpSync(wellKnownPath, path.join(__dirname, '../apps/marketing/public/.well-known'), {
+  recursive: true,
+});