neon_sakura 0.1.4

data/bin/ai-security-review

@@ -0,0 +1,585 @@
+#!/usr/bin/env bash
+# AI-powered security analysis for Rails applications
+# Analyzes routes, security scans, controller architecture, and API security
+#
+# Usage:
+#   bin/ai-security-review [OPTIONS] [BASE_BRANCH] [OLLAMA_URL]
+#   bin/ai-security-review --help | -h
+#
+# Options:
+#   -m, --model MODEL  Specify the model to use (default: codestral:latest)
+#   -i, --interactive  Interactively select model from available models
+#   -f, --full-review  Review current state (no comparison)
+#   --help, -h         Show this help message
+#
+# Arguments:
+#   BASE_BRANCH - Branch to compare against (default: main or master, ignored with -f)
+#   OLLAMA_URL  - Ollama server URL (default: $OLLAMA_URL env var or http://localhost:11434)
+#
+# Examples:
+#   bin/ai-security-review                       # Compare security changes vs main
+#   bin/ai-security-review -f                    # Full security review (current state)
+#   bin/ai-security-review develop               # Compare vs develop branch
+#   bin/ai-security-review -i                    # Interactively select model
+#   bin/ai-security-review -m llama3:latest      # Use specific model
+#   bin/ai-security-review main http://server    # Use remote Ollama server
+
+# Load shared library
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+if [ -f "$SCRIPT_DIR/../lib/ai-script-base.sh" ]; then
+  # shellcheck source=../lib/ai-script-base.sh
+  source "$SCRIPT_DIR/../lib/ai-script-base.sh"
+else
+  echo "Error: Shared library not found at $SCRIPT_DIR/../lib/ai-script-base.sh"
+  exit 1
+fi
+
+# Show help
+show_help() {
+  cat << EOF
+AI Security Review - Comprehensive security analysis using Ollama
+
+USAGE:
+  bin/ai-security-review [OPTIONS] [BASE_BRANCH] [OLLAMA_URL]
+  bin/ai-security-review --help | -h
+
+OPTIONS:
+  -m, --model MODEL     Specify the model to use (default: codestral:latest)
+  -i, --interactive     Interactively select model from available models
+  -f, --full-review     Review current state (no branch comparison)
+  --help, -h            Show this help message
+
+ARGUMENTS:
+  BASE_BRANCH          Branch to compare against (default: auto-detect main/master)
+                       Ignored when using -f/--full-review
+  OLLAMA_URL           Ollama server URL (default: \$OLLAMA_URL env var or http://localhost:11434)
+
+EXAMPLES:
+  # Compare security changes vs main
+  bin/ai-security-review
+
+  # Full security review of current state
+  bin/ai-security-review -f
+
+  # Compare vs develop branch
+  bin/ai-security-review develop
+
+  # Interactively select model
+  bin/ai-security-review -i
+
+  # Use specific model
+  bin/ai-security-review -m llama3:latest
+
+  # Use remote Ollama server
+  bin/ai-security-review main http://server:11434
+
+  # Combine options
+  bin/ai-security-review -f -m llama3:latest
+
+WHAT IT ANALYZES:
+  - Routes and API endpoints (config/routes.rb)
+  - Brakeman security scanner results
+  - Bundle Audit gem vulnerabilities
+  - Controller architecture and authentication patterns
+  - User management implementation
+  - API security (JWT, authentication, authorization)
+  - Secret detection (optional, requires trufflehog)
+
+REQUIREMENTS:
+  - Ollama installed and running (https://ollama.ai)
+  - At least one model pulled (e.g., ollama pull codestral:latest)
+  - Rails application with standard structure
+
+ENVIRONMENT VARIABLES:
+  OLLAMA_URL           Ollama server URL (overridden by command line argument)
+                       Example: export OLLAMA_URL=http://192.168.1.100:11434
+
+OUTPUT:
+  Reviews are saved to: docs/ai-reviews/ai-security-review-YYYYMMDD-HHMMSS.md
+
+MORE INFO:
+  See docs/AI_PR_REVIEWER.md for full documentation
+EOF
+  exit 0
+}
+
+# Parse options
+INTERACTIVE_MODE=false
+FULL_REVIEW=false
+MODEL_NAME="codestral:latest"
+BASE_BRANCH=""
+OLLAMA_URL=""
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    --help|-h)
+      show_help
+      ;;
+    -i|--interactive)
+      INTERACTIVE_MODE=true
+      shift
+      ;;
+    -f|--full-review)
+      FULL_REVIEW=true
+      shift
+      ;;
+    -m|--model)
+      if [ -z "${2:-}" ]; then
+        log_error "Option -m/--model requires a model name"
+        exit 1
+      fi
+      MODEL_NAME="$2"
+      shift 2
+      ;;
+    *)
+      # Positional arguments
+      if [ -z "$BASE_BRANCH" ]; then
+        BASE_BRANCH="$1"
+      elif [ -z "$OLLAMA_URL" ]; then
+        OLLAMA_URL="$1"
+      else
+        log_error "Unknown argument: $1"
+        echo "Run 'bin/ai-security-review --help' for usage information"
+        exit 1
+      fi
+      shift
+      ;;
+  esac
+done
+
+# Set defaults
+OLLAMA_URL=$(get_ollama_url "$OLLAMA_URL")
+if [ "$FULL_REVIEW" = false ]; then
+  BASE_BRANCH=$(determine_base_branch "$BASE_BRANCH")
+fi
+
+# Create temp directory
+TEMP_DIR=$(create_temp_dir)
+
+log_info "Starting AI security review..."
+if [ "$FULL_REVIEW" = true ]; then
+  log_info "Mode: ${CYAN}Full review (current state)${NC}"
+else
+  log_info "Mode: ${CYAN}Branch comparison${NC}"
+  log_info "Base branch: ${CYAN}$BASE_BRANCH${NC}"
+fi
+log_info "Ollama server: ${CYAN}$OLLAMA_URL${NC}"
+echo ""
+
+# Check if Ollama is accessible
+check_ollama_server "$OLLAMA_URL" || exit 1
+echo ""
+
+# Interactive model selection if requested
+if [ "$INTERACTIVE_MODE" = true ]; then
+  MODEL_NAME=$(select_ollama_model "$OLLAMA_URL" "$MODEL_NAME")
+  echo ""
+  log_info "Selected model: ${CYAN}$MODEL_NAME${NC}"
+  echo ""
+fi
+
+# Ensure model is available
+ensure_ollama_model "$OLLAMA_URL" "$MODEL_NAME" || exit 1
+echo ""
+
+# ============================================================================
+# Gather Security Information
+# ============================================================================
+
+log_section "📊 Gathering Security Information"
+
+# Get current branch and changes if in comparison mode
+if [ "$FULL_REVIEW" = false ]; then
+  CURRENT_BRANCH=$(get_current_branch)
+  log_info "Current branch: ${CYAN}$CURRENT_BRANCH${NC}"
+
+  # Get changed files
+  log_info "Getting changed files..."
+  CHANGED_FILES=$(get_changed_files "$BASE_BRANCH")
+  CHANGED_FILES_COUNT=$(echo "$CHANGED_FILES" | wc -l | tr -d ' ')
+  log_success "Found $CHANGED_FILES_COUNT changed files"
+  echo ""
+
+  # Get diff for security-relevant files
+  log_info "Extracting security-relevant changes..."
+  SECURITY_DIFF=$(git diff "$BASE_BRANCH...HEAD" -- \
+    'config/routes.rb' \
+    'app/controllers/**/*.rb' \
+    'app/models/user.rb' \
+    'app/models/account.rb' \
+    'config/application.rb' \
+    'Gemfile' \
+    'Gemfile.lock' 2>/dev/null || echo "")
+
+  if [ -n "$SECURITY_DIFF" ]; then
+    SECURITY_DIFF=$(echo "$SECURITY_DIFF" | head -c 5000)
+    log_success "Security changes extracted"
+  else
+    log_info "No security-relevant file changes detected"
+  fi
+  echo ""
+fi
+
+# 1. Routes
+log_info "Extracting routes..."
+if [ -f "config/routes.rb" ]; then
+  ROUTES=$(cat config/routes.rb)
+  log_success "Routes extracted (${#ROUTES} chars)"
+else
+  ROUTES="Routes file not found"
+  log_warning "Routes file not found at config/routes.rb"
+fi
+
+# 2. Run Brakeman
+log_info "Running Brakeman security scanner..."
+if command -v brakeman &> /dev/null; then
+  BRAKEMAN_OUTPUT=$(brakeman -q -f text --no-pager 2>&1 || true)
+  if [ -z "$BRAKEMAN_OUTPUT" ]; then
+    BRAKEMAN_OUTPUT="No security warnings found"
+  fi
+  log_success "Brakeman scan complete"
+else
+  BRAKEMAN_OUTPUT="Brakeman not installed. Install with: gem install brakeman"
+  log_warning "Brakeman not found"
+fi
+
+# 3. Bundle Audit
+log_info "Running Bundle Audit..."
+if command -v bundle-audit &> /dev/null; then
+  bundle-audit update > /dev/null 2>&1 || true
+  BUNDLE_AUDIT_OUTPUT=$(bundle-audit check 2>&1 || true)
+  if echo "$BUNDLE_AUDIT_OUTPUT" | grep -q "No vulnerabilities found"; then
+    BUNDLE_AUDIT_OUTPUT="No gem vulnerabilities found"
+  fi
+  log_success "Bundle Audit complete"
+else
+  BUNDLE_AUDIT_OUTPUT="Bundle Audit not installed. Install with: gem install bundler-audit"
+  log_warning "Bundle Audit not found"
+fi
+
+# 4. Trufflehog (optional - secret detection)
+log_info "Checking for secrets with Trufflehog..."
+if command -v trufflehog &> /dev/null; then
+  TRUFFLEHOG_OUTPUT=$(trufflehog filesystem . --json --no-update 2>&1 | head -20 || true)
+  if [ -z "$TRUFFLEHOG_OUTPUT" ]; then
+    TRUFFLEHOG_OUTPUT="No secrets detected"
+  else
+    TRUFFLEHOG_OUTPUT="Potential secrets found (first 20 lines):
+$TRUFFLEHOG_OUTPUT"
+  fi
+  log_success "Trufflehog scan complete"
+else
+  TRUFFLEHOG_OUTPUT="Trufflehog not installed (optional). See: https://github.com/trufflesecurity/trufflehog"
+  log_info "Trufflehog not found (optional)"
+fi
+
+# 5. Controller Architecture
+log_info "Analyzing controller architecture..."
+CONTROLLERS_LIST=""
+if [ -d "app/controllers" ]; then
+  CONTROLLERS_LIST=$(find app/controllers -name "*.rb" -type f | head -20)
+  CONTROLLER_COUNT=$(echo "$CONTROLLERS_LIST" | wc -l | tr -d ' ')
+  log_success "Found $CONTROLLER_COUNT controllers"
+else
+  log_warning "Controllers directory not found"
+fi
+
+# 6. Authentication Implementation (ApplicationController)
+log_info "Extracting authentication patterns..."
+AUTH_PATTERNS=""
+if [ -f "app/controllers/application_controller.rb" ]; then
+  AUTH_PATTERNS=$(cat app/controllers/application_controller.rb)
+  log_success "ApplicationController extracted"
+else
+  AUTH_PATTERNS="ApplicationController not found"
+  log_warning "ApplicationController not found"
+fi
+
+# 7. API Security (JWT, API controllers)
+log_info "Analyzing API security..."
+API_SECURITY=""
+if [ -d "app/controllers/api" ]; then
+  API_CONTROLLERS=$(find app/controllers/api -name "*.rb" -type f | head -10)
+  API_SECURITY="API Controllers found:
+$API_CONTROLLERS
+
+"
+  for controller in $API_CONTROLLERS; do
+    if [ -f "$controller" ]; then
+      API_SECURITY+="
+=== $(basename "$controller") ===
+$(head -50 "$controller")
+"
+    fi
+  done
+  log_success "API controllers analyzed"
+else
+  API_SECURITY="No API controllers found"
+  log_info "No API directory found"
+fi
+
+# 8. User Model (if exists)
+log_info "Checking user management..."
+USER_MODEL=""
+if [ -f "app/models/user.rb" ]; then
+  USER_MODEL=$(cat app/models/user.rb | head -100)
+  log_success "User model extracted"
+elif [ -f "app/models/account.rb" ]; then
+  USER_MODEL=$(cat app/models/account.rb | head -100)
+  log_success "Account model extracted"
+else
+  USER_MODEL="No user/account model found"
+  log_info "No user model found"
+fi
+
+# 9. Security Headers (config/application.rb)
+log_info "Checking security headers..."
+SECURITY_CONFIG=""
+if [ -f "config/application.rb" ]; then
+  SECURITY_CONFIG=$(grep -A 5 -B 5 "security\|headers\|force_ssl\|cookies" config/application.rb || echo "No explicit security config found")
+  log_success "Security config extracted"
+else
+  SECURITY_CONFIG="Application config not found"
+  log_warning "Application config not found"
+fi
+
+echo ""
+
+# ============================================================================
+# Build Security-Focused System Prompt
+# ============================================================================
+
+log_info "Building security-focused system prompt..."
+
+SYSTEM_PROMPT=$(cat <<'SYSEND'
+You are an expert security analyst specializing in Ruby on Rails applications.
+
+**Your Task:**
+Perform a comprehensive security analysis of the Rails application based on the provided information.
+
+**Analysis Areas:**
+
+1. **Authentication & Authorization:**
+   - Review authentication implementation (sessions, tokens, JWT)
+   - Check authorization patterns (before_action, pundit, cancancan, etc.)
+   - Verify password handling and secure storage
+   - Check for insecure direct object references (IDOR)
+   - Review session management and cookie security
+
+2. **API Security:**
+   - JWT implementation and token validation
+   - API authentication mechanisms
+   - Rate limiting and throttling
+   - CORS configuration
+   - API versioning and deprecation
+
+3. **Input Validation & Sanitization:**
+   - SQL injection vulnerabilities
+   - Cross-Site Scripting (XSS) risks
+   - Mass assignment vulnerabilities
+   - File upload security
+   - Path traversal attacks
+
+4. **Routes & Endpoints:**
+   - Publicly accessible endpoints without authentication
+   - Admin routes and their protection
+   - API endpoints and versioning
+   - Unnecessary or dangerous routes
+   - HTTP method restrictions
+
+5. **Dependency Security:**
+   - Vulnerable gems (from Bundle Audit)
+   - Outdated dependencies
+   - Security patches needed
+
+6. **Secret Management:**
+   - Exposed secrets or credentials
+   - Hardcoded passwords or API keys
+   - Environment variable usage
+   - Secret rotation practices
+
+7. **Security Headers & HTTPS:**
+   - Content Security Policy (CSP)
+   - X-Frame-Options
+   - X-Content-Type-Options
+   - Strict-Transport-Security (HSTS)
+   - force_ssl configuration
+
+8. **OWASP Top 10 Coverage:**
+   - Broken Access Control
+   - Cryptographic Failures
+   - Injection
+   - Insecure Design
+   - Security Misconfiguration
+   - Vulnerable Components
+   - Authentication Failures
+   - Software and Data Integrity Failures
+   - Security Logging and Monitoring Failures
+   - Server-Side Request Forgery (SSRF)
+
+**Output Format:**
+
+## Executive Summary
+[2-3 sentences on overall security posture]
+
+## Critical Security Issues
+[ONLY list critical vulnerabilities that need immediate attention]
+[Use format: `Category - Description - Location`]
+[If none, write "No critical issues found"]
+
+## High Priority Issues
+[List important security concerns - MAX 10]
+[Use format: `Category - Description - Location`]
+[If none, write "Security posture is good"]
+
+## Medium Priority Issues
+[List moderate security improvements - MAX 10]
+[Use format: `Category - Description`]
+[If none, write "No medium priority issues"]
+
+## Security Best Practices Observed
+[List 3-5 things the application does well]
+
+## Recommendations
+[Top 5 actionable recommendations, prioritized]
+
+## Compliance Notes
+[Notes on OWASP Top 10 coverage, if relevant]
+
+**Review Guidelines:**
+- Be SPECIFIC with file paths and line numbers when possible
+- Focus on EXPLOITABLE vulnerabilities, not theoretical risks
+- Provide ACTIONABLE recommendations
+- Distinguish between critical, high, and medium priority
+- Consider Rails version and modern security practices
+- Do not report false positives from scanners without verification
+SYSEND
+)
+
+log_success "System prompt built"
+echo ""
+
+# ============================================================================
+# Build User Prompt with Gathered Information
+# ============================================================================
+
+log_info "Building analysis prompt..."
+
+if [ "$FULL_REVIEW" = true ]; then
+  MODE_INFO="**Analysis Mode:** Full security review of current state"
+else
+  MODE_INFO="**Analysis Mode:** Security changes comparison
+**Branch:** $CURRENT_BRANCH vs $BASE_BRANCH
+**Changed Files:** $CHANGED_FILES_COUNT
+
+## Security-Relevant Changes
+\`\`\`diff
+${SECURITY_DIFF:-No security-relevant file changes}
+\`\`\`
+
+## Changed Files
+\`\`\`
+$CHANGED_FILES
+\`\`\`
+"
+fi
+
+USER_PROMPT=$(cat <<USEREND
+# Security Analysis Request
+
+$MODE_INFO
+
+## Routes (config/routes.rb)
+\`\`\`ruby
+${ROUTES:0:3000}
+\`\`\`
+
+## Brakeman Security Scan
+\`\`\`
+${BRAKEMAN_OUTPUT:0:2000}
+\`\`\`
+
+## Bundle Audit (Gem Vulnerabilities)
+\`\`\`
+${BUNDLE_AUDIT_OUTPUT:0:1500}
+\`\`\`
+
+## Secret Detection (Trufflehog)
+\`\`\`
+${TRUFFLEHOG_OUTPUT:0:1500}
+\`\`\`
+
+## Controller Architecture
+Controllers found:
+\`\`\`
+${CONTROLLERS_LIST}
+\`\`\`
+
+## Authentication Implementation (ApplicationController)
+\`\`\`ruby
+${AUTH_PATTERNS:0:2000}
+\`\`\`
+
+## API Security
+\`\`\`ruby
+${API_SECURITY:0:3000}
+\`\`\`
+
+## User Management
+\`\`\`ruby
+${USER_MODEL:0:1500}
+\`\`\`
+
+## Security Configuration
+\`\`\`ruby
+${SECURITY_CONFIG:0:1000}
+\`\`\`
+
+Please perform a comprehensive security analysis based on the above information.
+USEREND
+)
+
+log_success "Analysis prompt built"
+echo ""
+
+# ============================================================================
+# Call Ollama API for Security Analysis
+# ============================================================================
+
+log_info "Calling Ollama API for security analysis..."
+echo -e "${CYAN}This may take a few minutes...${NC}"
+echo ""
+
+REVIEW=$(call_ollama_chat "$OLLAMA_URL" "$MODEL_NAME" "$SYSTEM_PROMPT" "$USER_PROMPT")
+
+# No deduplication needed for security reviews (different context)
+# Just truncate if too long
+REVIEW=$(truncate_review "$REVIEW" 150)
+
+# Display the review
+if [ "$FULL_REVIEW" = true ]; then
+  ADDITIONAL_INFO="${CYAN}Mode:${NC} Full review (current state)
+${CYAN}Analysis:${NC} Routes, Brakeman, Bundle Audit, Controllers, API, User Management
+${CYAN}Tools Used:${NC} Brakeman, Bundle Audit, Trufflehog (optional)"
+else
+  ADDITIONAL_INFO="${CYAN}Mode:${NC} Branch comparison ($CURRENT_BRANCH vs $BASE_BRANCH)
+${CYAN}Changed files:${NC} $CHANGED_FILES_COUNT
+${CYAN}Analysis:${NC} Routes, Brakeman, Bundle Audit, Controllers, API, User Management, Changes
+${CYAN}Tools Used:${NC} Brakeman, Bundle Audit, Trufflehog (optional)"
+fi
+
+display_review "$REVIEW" "AI Security Review" "$MODEL_NAME" "$ADDITIONAL_INFO"
+
+# Save review to file
+REVIEW_FILE=$(save_review "$REVIEW" "docs/ai-reviews" "ai-security-review")
+log_success "Security review saved to: ${CYAN}$REVIEW_FILE${NC}"
+echo ""
+
+# Check for critical issues
+if echo "$REVIEW" | grep -qi "CRITICAL SECURITY\|CRITICAL.*ISSUE\|IMMEDIATE.*ATTENTION"; then
+  log_error "Critical security issues found! Review the report above."
+  exit 1
+else
+  log_success "Security review complete!"
+  exit 0
+fi

data/bin/brakeman

@@ -0,0 +1,9 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'rubygems'
+require 'bundler/setup'
+
+ARGV.unshift('--ensure-latest')
+
+load Gem.bin_path('brakeman', 'brakeman')

data/bin/install-hooks

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+
+# Install git hooks for Neon Sakura project
+# This script creates symlinks from .git/hooks to scripts/git-hooks
+
+set -e
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+echo "🔧 Installing git hooks for Neon Sakura..."
+
+# Check if we're in a git repository
+if [ ! -d ".git" ]; then
+  echo -e "${RED}❌ Not a git repository${NC}"
+  exit 1
+fi
+
+# Create hooks directory if it doesn't exist
+mkdir -p .git/hooks
+
+# Install each hook
+hooks=("pre-commit" "pre-push" "post-merge")
+installed_count=0
+
+for hook in "${hooks[@]}"; do
+  source_hook="scripts/git-hooks/$hook"
+  target_hook=".git/hooks/$hook"
+
+  if [ ! -f "$source_hook" ]; then
+    echo -e "${YELLOW}⚠️  Source hook not found: $source_hook${NC}"
+    continue
+  fi
+
+  # Remove existing hook or symlink
+  if [ -e "$target_hook" ] || [ -L "$target_hook" ]; then
+    rm -f "$target_hook"
+  fi
+
+  # Create symlink
+  ln -s "../../$source_hook" "$target_hook"
+  echo -e "${GREEN}✅ Installed $hook hook${NC}"
+  installed_count=$((installed_count + 1))
+done
+
+echo ""
+echo -e "${GREEN}🎉 Installed $installed_count git hook(s)${NC}"
+echo ""
+echo "Installed hooks:"
+echo "  - pre-commit: Runs Rubocop, Stylelint, Brakeman, Bundle Audit, and secrets detection"
+echo "  - pre-push: Checks database schema consistency and asset compilation"
+echo "  - post-merge: Auto-runs bundle install and migrations after merges"
+echo ""
+echo "To skip hooks when committing/pushing, use --no-verify flag"

data/bin/rake

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'rubygems'
+require 'bundler/setup'
+
+load Gem.bin_path('rake', 'rake')

data/bin/rubocop

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'rubygems'
+require 'bundler/setup'
+
+# Explicit RuboCop config increases performance slightly while avoiding config confusion.
+ARGV.unshift('--config', File.expand_path('../.rubocop.yml', __dir__))
+
+load Gem.bin_path('rubocop', 'rubocop')

data/bin/verify_setup.rb

@@ -0,0 +1,31 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+# Simple script to check that our gem setup is working correctly
+require 'bundler/setup'
+require 'minitest/autorun'
+
+puts 'Testing neon_sakura gem setup...'
+puts "Version: #{NeonSakura::VERSION}"
+
+# Test basic functionality
+puts '✓ Version test passed'
+
+# Check if files exist
+required_files = [
+  'lib/neon_sakura/version.rb',
+  'lib/neon_sakura/engine.rb',
+  'app/assets/stylesheets/application.css',
+  'app/assets/stylesheets/base.css',
+  'app/views/layouts/mission_control/jobs/application.html.erb'
+]
+
+required_files.each do |file|
+  if File.exist?(file)
+    puts "✓ #{file} exists"
+  else
+    puts "✗ #{file} missing"
+  end
+end
+
+puts 'Gem setup verification complete!'