fix: restore env fixture coverage

ExceptionRegret · ExceptionRegret · commit 3de5fa69abf5 · 2026-03-11T13:49:14.000+05:30
diff --git a/.gitignore b/.gitignore
@@ -27,6 +27,7 @@ npm-debug.log*
 .env.*
 !.env.example
 !.env.sample
+!tests/fixtures/**/.env
 
 # OS and editor noise
 .DS_Store
diff --git a/.memory/project-memory.md b/.memory/project-memory.md
@@ -22,6 +22,7 @@ Build an open-source deterministic security scanner that helps repository owners
 - The package is now published to npm as `security-first-aid@0.1.2`.
 - Public execution through `npx security-first-aid@latest ...` has been verified, including the no-argument quick-start guide.
 - Global npm installs now print a post-install quick-start guide.
+- Fixture `.env` files under `tests/fixtures/` are now intentionally unignored so CI and local scans exercise the same secret/env rules.
 - Release hardening now includes a Keep a Changelog file, release validation scripts, and a tag-driven GitHub Actions release workflow.
 - CLI no-argument and help-flag behavior now shows a real quick-start guide for npm and npx users.
 - Additional implemented rules now cover `pull_request_target` workflows and wildcard CORS in JSON config.
diff --git a/README.md b/README.md
@@ -102,7 +102,22 @@ npm install -g security-first-aid
 sfa scan . --format terminal
 ```
 
-Global npm installs now print a short quick-start message after installation.
+Recommended first run after install:
+
+```bash
+npm install -g security-first-aid@latest
+sfa
+```
+
+Then run one of these:
+
+```bash
+sfa scan . --format terminal
+sfa rules list --format json
+sfa baseline create . --output ./.sfa-baseline.json
+```
+
+Important: npm may not always show lifecycle output clearly during `npm install -g`, depending on the user's npm configuration. The reliable built-in guide is `sfa` or `sfa --help`.
 
 If you just want the built-in guide:
 
@@ -145,13 +160,20 @@ node ./src/cli/index.js rules list --format json
 ### Option 1: Install from npm
 
 ```bash
-npm install -g security-first-aid
+npm install -g security-first-aid@latest
 ```
 
-Then run:
+Then immediately run:
+
+```bash
+sfa
+```
+
+Then choose a command:
 
 ```bash
 sfa scan . --format terminal
+sfa rules list --format json
 ```
 
 ### Option 2: Run with npx
diff --git a/docs/reference/cli.md b/docs/reference/cli.md
@@ -16,7 +16,14 @@ sfa
 
 If you run `sfa` with no arguments, the CLI now prints a built-in quick-start guide instead of a minimal usage block.
 
-If you install the package globally from npm, the installer also prints a short post-install quick-start message.
+If you install the package globally from npm, use this as the first-run path:
+
+```bash
+npm install -g security-first-aid@latest
+sfa
+```
+
+The `sfa` command is the reliable built-in guide. npm may suppress or reduce post-install script output depending on install mode and client configuration.
 
 PowerShell note:
 
diff --git a/tests/fixtures/insecure-service/.env b/tests/fixtures/insecure-service/.env
@@ -0,0 +1,2 @@
+# Intentionally committed insecure fixture for rule coverage.
+SECRET_KEY=super-secret-value

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# Intentionally committed insecure fixture for rule coverage.`
	`2`	`+SECRET_KEY=super-secret-value`