feat: network warning plugin for Vite dev server safety

.gitignore

@@ -0,0 +1,7 @@
+node_modules
+dist
+.DS_Store
+
+
+
+

README.md

@@ -1 +1,16 @@
-# vite-plugins
+# @weka/vite-plugins
+
+## Contributing
+
+1. Create a branch named `<your-name>/<feature>` and open a pull request to `main`.
+2. Use [Conventional Commits](https://www.conventionalcommits.org/) for all commit messages.
+3. During code review the package can be installed directly by the PR branch name:
+   ```bash
+   yarn add @weka/vite-plugins@https://github.com/weka/vite-plugins.git#<your-name>/<feature>
+   ```
+4. After the PR is merged into `main`, create a tag from `main` and install by tag name:
+   ```bash
+   git tag <version>
+   git push origin <version>
+   yarn add @weka/vite-plugins@https://github.com/weka/vite-plugins.git#<version>
+   ```

package.json

@@ -0,0 +1,12 @@
+{
+  "name": "@weka/vite-plugins",
+  "version": "1.0.0",
+  "type": "module",
+  "exports": {
+    "./networkWarning": "./src/networkWarning.js"
+  },
+  "peerDependencies": {
+    "vite": ">=5"
+  }
+}
+

src/networkWarning.d.ts

@@ -0,0 +1,4 @@
+import type { Plugin } from 'vite'
+
+export declare const NETWORK_SAFE_HOST: string
+export declare function networkWarningPlugin(): Plugin

src/networkWarning.js

@@ -0,0 +1,98 @@
+/**
+ * @weka/vite-plugins/networkWarning
+ *
+ * Vite plugin that protects developers on public networks by defaulting
+ * the dev server to localhost only, and requiring explicit confirmation
+ * before exposing to the local network.
+ *
+ * Setup (in vite.config.ts):
+ *
+ *   import { NETWORK_SAFE_HOST, networkWarningPlugin } from '@weka/vite-plugins/networkWarning'
+ *
+ *   export default defineConfig({
+ *     plugins: [networkWarningPlugin()],
+ *     server: {
+ *       host: NETWORK_SAFE_HOST,
+ *     }
+ *   })
+ *
+ * Usage:
+ *
+ *   # Safe (default) — localhost only, no network exposure
+ *   yarn dev
+ *
+ *   # Expose to network — triggers a yes/no confirmation prompt
+ *   yarn dev --host
+ *
+ * If the developer answers "no", the server never starts and nothing is exposed.
+ */
+
+import { createInterface } from 'node:readline'
+
+function confirm(question) {
+  const rl = createInterface({ input: process.stdin, output: process.stdout })
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close()
+      resolve(['yes', 'y'].includes(answer.trim().toLowerCase()))
+    })
+  })
+}
+
+/**
+ * Localhost only. When the user passes --host, Vite overrides this to '0.0.0.0' automatically.
+ */
+export const NETWORK_SAFE_HOST = '127.0.0.1'
+
+/**
+ * Vite plugin that shows a warning and requires confirmation
+ * when the dev server is exposed to the local network.
+ *
+ * The prompt runs before the server starts listening on any port.
+ * If the user declines, the process exits and nothing is ever exposed.
+ */
+export function networkWarningPlugin() {
+  let isNetworkExposed = false
+
+  return {
+    name: 'weka-network-warning',
+    configResolved(config) {
+      const host = config.server.host
+      isNetworkExposed =
+        host !== 'localhost' &&
+        host !== '127.0.0.1' &&
+        host !== undefined &&
+        host !== false
+    },
+    async configureServer(_server) {
+      if (!isNetworkExposed) return
+
+      console.log('\n')
+      console.log(
+        '  \x1b[41m\x1b[1m\x1b[37m ⚠️  WARNING: Dev server will be exposed to your local network! \x1b[0m'
+      )
+      console.log(
+        '  \x1b[31mAnyone on the same Wi-Fi/LAN can access this server and see your code.\x1b[0m'
+      )
+      console.log(
+        '  VPN does NOT protect against this.'
+      )
+      console.log(
+        '  For mobile testing, prefer phone hotspot or USB tethering.'
+      )
+      console.log('')
+
+      const confirmed = await confirm(
+        '  Expose to network? (yes/no): '
+      )
+      if (!confirmed) {
+        console.log(
+          '\n  ✅ Cancelled. Run without --host to use localhost only.\n'
+        )
+        process.exit(0)
+      }
+      console.log('')
+    }
+  }
+}
+