@activemind/scd 1.4.0

package/lib/deep-analyzer.js

@@ -0,0 +1,225 @@
+/**
+ * deep-analyzer.js
+ * Routes --deep analysis to scd-server. All AI logic lives server-side.
+ * Uses http.request instead of fetch to avoid Node.js fetch socket timeout issues.
+ */
+
+'use strict';
+const { RESET, BOLD, DIM, RED, GREEN, YELLOW, CYAN } = require('./output-constants');
+
+const fs   = require('fs');
+const path = require('path');
+const http  = require('http');
+const https = require('https');
+const url   = require('url');
+
+const CONTEXT_LINES  = 8;
+
+function extractContext(filePath, lineNum, lines = CONTEXT_LINES) {
+  try {
+    const abs     = path.resolve(process.cwd(), filePath);
+    const content = fs.readFileSync(abs, 'utf8').split('\n');
+    const start   = Math.max(0, lineNum - lines - 1);
+    const end     = Math.min(content.length, lineNum + lines);
+    return content
+      .slice(start, end)
+      .map((l, i) => `${start + i + 1}: ${l}`)
+      .join('\n');
+  } catch {
+    return '(source not available)';
+  }
+}
+
+function printTeaser() {
+  console.log('');
+  console.log(`  ${CYAN}ℹ  Deep analysis requires scd-server with the Deep Analysis Pack.${RESET}`);
+  console.log(`  ${DIM}   See https://securecodebydesign.com for subscription options.${RESET}`);
+  console.log('');
+}
+
+/**
+ * Simple HTTP POST using http.request — avoids fetch socket timeout issues.
+ */
+function httpPost(targetUrl, body, token, timeoutMs) {
+  return new Promise((resolve, reject) => {
+    const parsed   = new url.URL(targetUrl);
+    const isHttps  = parsed.protocol === 'https:';
+    const lib      = isHttps ? https : http;
+    const bodyStr  = typeof body === 'string' ? body : JSON.stringify(body);
+
+    const options = {
+      hostname: parsed.hostname,
+      port:     parsed.port || (isHttps ? 443 : 80),
+      path:     parsed.pathname + parsed.search,
+      method:   'POST',
+      headers:  {
+        'Content-Type':   'application/json',
+        'Authorization':  'Bearer ' + token,
+        'Content-Length': Buffer.byteLength(bodyStr),
+      },
+      timeout: timeoutMs,
+    };
+
+    const req = lib.request(options, (res) => {
+      const chunks = [];
+      res.on('data', chunk => chunks.push(chunk));
+      res.on('end', () => {
+        const raw = Buffer.concat(chunks).toString('utf8');
+        resolve({ status: res.statusCode, body: raw });
+      });
+    });
+
+    req.on('timeout', () => {
+      req.destroy(new Error(`Request timed out after ${timeoutMs}ms`));
+    });
+
+    req.on('error', reject);
+    req.write(bodyStr);
+    req.end();
+  });
+}
+
+async function deepAnalyze(findings, opts = {}) {
+  const { centralUrl, token, repoId, scanId, trustLevel = 'balanced', verbose = false } = opts;
+
+  if (!centralUrl) { printTeaser(); return new Map(); }
+
+  if (!token) {
+    console.log('\nRED❌ --deep requires an scd-server API token.' + RESET);
+    console.log(DIM + '   Run: scd configure --token <token>' + RESET + '\n');
+    return new Map();
+  }
+
+  const eligible = Array.from(findings).filter(f =>
+    f.severity === 'CRITICAL' || f.severity === 'HIGH'
+  );
+
+  if (eligible.length === 0) return new Map();
+
+  if (verbose) {
+    process.stdout.write(`${DIM} 🔍 Sending ${eligible.length} findings to scd-server for deep analysis...${RESET}\n`);
+  }
+
+  const payload = eligible.map(f => ({
+    ruleId:   f.ruleId,
+    name:     f.name     || f.ruleId,
+    severity: f.severity,
+    file:     f.filePath,
+    line:     f.line,
+    snippet:  f.snippet  || null,
+    context:  extractContext(f.filePath, f.line),
+    problem:  f.description || null,
+  }));
+
+  try {
+    const { getDeepTimeout } = require('./global-config');
+    const response = await httpPost(
+      centralUrl + '/api/v1/deep/analyze',
+      { repoId, scanId, trust_level: trustLevel, findings: payload },
+      token,
+      getDeepTimeout()
+    );
+
+    if (response.status === 503 || response.status === 404) {
+      printTeaser();
+      return new Map();
+    }
+
+    if (response.status !== 200) {
+      let errMsg = `HTTP ${response.status}`;
+      try { errMsg = JSON.parse(response.body).error || errMsg; } catch {}
+      throw new Error(errMsg);
+    }
+
+    const data = JSON.parse(response.body);
+
+    const results = new Map();
+    for (const result of (data.results || [])) {
+      const fp = result.file || result.filePath;
+      if (!fp) continue;
+      if (!results.has(fp)) results.set(fp, []);
+      results.get(fp).push(result);
+    }
+    return results;
+
+  } catch (err) {
+    console.log(`\nYELLOW⚠️  Deep analysis unavailable: ${err.message}${RESET}`);
+    console.log(DIM + '   Scan completed. Run again with --deep when scd-server is reachable.' + RESET + '\n');
+    return new Map();
+  }
+}
+
+const SEV_COLORS = { CRITICAL: RED, HIGH: YELLOW };
+
+function formatDeepSection(findings, deepResults) {
+  if (!deepResults || deepResults.size === 0) return '';
+
+
+  const lines = [];
+  lines.push('');
+  lines.push('─'.repeat(60));
+  lines.push(`  ${CYAN}${BOLD}↓  Deep analysis (--deep)  ↓${RESET}`);
+  lines.push('─'.repeat(60));
+
+  for (const [filePath, analyses] of deepResults) {
+    if (!Array.isArray(analyses) || analyses.length === 0) continue;
+
+    if (analyses[0]?._error) {
+      lines.push(`\n  ${RED}❌ ${filePath}${RESET}`);
+      lines.push(`     ${DIM}Error: ${analyses[0]._error}${RESET}`);
+      continue;
+    }
+
+    for (const analysis of analyses) {
+      const original = findings.find(f =>
+        f.ruleId === analysis.ruleId && f.line === analysis.line &&
+        (f.filePath === filePath || f.filePath.endsWith(filePath) || filePath.endsWith(f.filePath))
+      );
+      const sev     = original?.severity ?? 'HIGH';
+      const color   = SEV_COLORS[sev] ?? YELLOW;
+      const sevIcon = sev === 'CRITICAL' ? '🔴' : '🟠';
+
+      lines.push('');
+      lines.push(`  ${color}${BOLD}${sevIcon} ${analysis.ruleId} · ${filePath}:${analysis.line}${RESET}`);
+
+      if (analysis.confirmed === false) {
+        lines.push(`     ${GREEN}${BOLD}✓ Likely false positive${RESET}  ${DIM}(confidence: ${analysis.confidence})${RESET}`);
+        if (analysis.false_positive_reason) lines.push(`     ${DIM}${analysis.false_positive_reason}${RESET}`);
+        continue;
+      }
+
+      // Normalise confidence — 7b model may return numeric (0-1) instead of string
+      const rawConf = analysis.confidence;
+      const conf = typeof rawConf === 'number'
+        ? (rawConf >= 0.8 ? 'HIGH' : rawConf >= 0.5 ? 'MEDIUM' : 'LOW')
+        : (rawConf || 'LOW');
+      const confColor = conf === 'HIGH' ? RED : conf === 'MEDIUM' ? YELLOW : DIM;
+      lines.push(`     ${BOLD}Assessment:${RESET} ${RED}✗ Confirmed${RESET}  ${DIM}confidence: ${confColor}${conf}${RESET}`);
+
+      if (analysis.attack_scenario) {
+        lines.push('');
+        lines.push(`     ${BOLD}Attack:${RESET}`);
+        const words = analysis.attack_scenario.split(' ');
+        let cur = '     ';
+        for (const w of words) {
+          if (cur.length + w.length > 82) { lines.push(`${DIM}${cur}${RESET}`); cur = '     ' + w + ' '; }
+          else cur += w + ' ';
+        }
+        if (cur.trim()) lines.push(`${DIM}${cur}${RESET}`);
+      }
+
+      if (analysis.fix_code) {
+        lines.push('');
+        lines.push(`     ${BOLD}Fix:${RESET}`);
+        for (const fl of analysis.fix_code.split('\n')) lines.push(`     ${GREEN}${fl}${RESET}`);
+      }
+
+      if (analysis.fix_explanation) lines.push(`     ${DIM}↳ ${analysis.fix_explanation}${RESET}`);
+    }
+  }
+
+  lines.push('');
+  return lines.join('\n');
+}
+
+module.exports = { deepAnalyze, formatDeepSection };

package/lib/doctor.js

@@ -0,0 +1,236 @@
+const { RESET, BOLD, DIM, RED, GREEN, YELLOW, CYAN } = require('./output-constants');
+/**
+ * doctor.js
+ * Checks that hooks are active, up to date, and working.
+ * Maps to "Layer 1 – Technical self-check" in the architecture.
+ */
+
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const HOOKS_DIR       = path.join(os.homedir(), '.scd', 'hooks');
+const STALE_ATTEMPTS  = 10;
+const GRACE_DAYS      = 7;
+
+async function doctor() {
+  console.log(CYAN + '\n Secure Code by Design – System check' + RESET + '\n');
+
+  let allOk = true;
+
+  // 1. Check global hooks path
+  const NULL_DEVICE = process.platform === 'win32' ? 'NUL' : '/dev/null';
+  try {
+    const hooksPath = execSync('git config --global core.hooksPath', {
+      encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'],
+    }).trim();
+    if (hooksPath === HOOKS_DIR) {
+      ok('Global hooks configured', hooksPath);
+    } else if (hooksPath === NULL_DEVICE) {
+      fail('Global hooks disabled — core.hooksPath set to ' + hooksPath);
+      console.log(DIM + '    This disables hooks for ALL repos on this machine.' + RESET);
+      console.log(DIM + '    Fix: git config --global core.hooksPath "' + HOOKS_DIR + '"' + RESET);
+      allOk = false;
+    } else {
+      warn('Global hooks pointing to unexpected directory', hooksPath);
+      console.log(DIM + '    Expected: ' + HOOKS_DIR + RESET);
+      console.log(DIM + '    Fix: git config --global core.hooksPath "' + HOOKS_DIR + '"' + RESET);
+    }
+  } catch {
+    fail('Global hooks NOT configured');
+    console.log(DIM + '    Run: scd install' + RESET);
+    allOk = false;
+  }
+
+  // 2. Check hook files exist and are executable
+  const isWindows = process.platform === 'win32';
+  for (const hook of ['pre-commit', 'pre-push']) {
+    const hookPath = path.join(HOOKS_DIR, hook);
+    if (fs.existsSync(hookPath)) {
+      if (isWindows) {
+        // Windows does not have executable bits — presence is sufficient
+        ok(`${hook} hook active`);
+      } else {
+        try {
+          fs.accessSync(hookPath, fs.constants.X_OK);
+          ok(`${hook} hook active`);
+        } catch {
+          fail(`${hook} hook exists but is not executable`);
+          console.log(`${DIM}    Run: chmod +x ${hookPath}${RESET}`);
+          allOk = false;
+        }
+      }
+    } else {
+      fail(`${hook} hook missing`);
+      allOk = false;
+    }
+  }
+
+  // 3. Check current repo (if in one)
+  try {
+    const repoRoot = execSync('git rev-parse --show-toplevel', { encoding: 'utf8', stdio: 'pipe' }).trim();
+    ok('Inside a git repo', repoRoot);
+
+    // Check if scd repo hooks --disable has been used for this repo
+    const { getHookStatus } = require('./hooks-manager');
+    const hookStatus = getHookStatus(repoRoot);
+    if (hookStatus.status === 'disabled') {
+      warn('Hooks disabled for this repo', 'core.hooksPath → ' + hookStatus.hooksPath);
+      console.log(DIM + '    Re-enable with: scd repo hooks --enable' + RESET);
+    } else if (hookStatus.status === 'global-broken') {
+      fail('Global hooks disabled — core.hooksPath set to /dev/null');
+      console.log(DIM + '    Fix: git config --global core.hooksPath "' + HOOKS_DIR + '"' + RESET);
+      allOk = false;
+    }
+
+    // Check if local .git/hooks would override global (old-style hook setup)
+    const localHooksDir = path.join(repoRoot, '.git', 'hooks');
+    const localPrePush = path.join(localHooksDir, 'pre-push');
+    if (fs.existsSync(localPrePush)) {
+      const content = fs.readFileSync(localPrePush, 'utf8');
+      if (!content.includes('scd')) {
+        warn('Local pre-push hook found that is not Secure Code by Design', localPrePush);
+        console.log(DIM + '    Local hooks override global. Verify that your hooks work together.' + RESET);
+      }
+    }
+  } catch {
+    info('Not inside a git repo');
+  }
+
+  // 4. Push queue status
+  try {
+    const { getCentralUrl } = require('./global-config');
+    const centralUrl = getCentralUrl();
+    if (centralUrl) {
+      const { queueSize, staleCount, isPastGrace } = require('./push-queue');
+      const pending = queueSize();
+      const stale   = staleCount();
+      const grace   = isPastGrace();
+
+      ok('Central URL configured', centralUrl);
+
+      if (stale > 0) {
+        warn(`Push queue has ${stale} stale event(s) (${STALE_ATTEMPTS}+ failed attempts)`);
+        console.log(DIM + '    Run: scd repo --verify --clean to purge stale events' + RESET);
+        allOk = false;
+      } else if (grace) {
+        warn(`Push queue has events older than ${GRACE_DAYS} days – central may be unreachable`);
+        allOk = false;
+      } else if (pending > 0) {
+        info(`Push queue: ${pending} event(s) pending sync`);
+      } else {
+        ok('Push queue empty – all events synced');
+      }
+    } else {
+      info('Push queue inactive (no central URL configured)');
+      console.log(DIM + '    scd configure --central-url https://your-server:3000' + RESET);
+    }
+  } catch {
+    // Non-fatal if push-queue module unavailable
+  }
+
+  // 5. scd-server health check (if central URL configured)
+  try {
+    const { getCentralUrl, getCentralToken } = require('./global-config');
+    const centralUrl = getCentralUrl();
+    if (centralUrl) {
+      const token   = getCentralToken();
+      const http    = centralUrl.startsWith('https') ? require('https') : require('http');
+      const baseUrl = centralUrl.replace(/\/$/, '');
+
+      const result = await new Promise((resolve) => {
+        const req = http.get(
+          baseUrl + '/api/v1/health',
+          { headers: token ? { 'Authorization': `Bearer ${token}` } : {}, timeout: 5000 },
+          (res) => {
+            let data = '';
+            res.on('data', chunk => { data += chunk; });
+            res.on('end', () => {
+              try { resolve({ status: res.statusCode, body: JSON.parse(data) }); }
+              catch { resolve({ status: res.statusCode, body: null }); }
+            });
+          }
+        );
+        req.on('timeout', () => { req.destroy(); resolve({ status: 0, body: null }); });
+        req.on('error', () => resolve({ status: 0, body: null }));
+      });
+
+      if (result.status === 0) {
+        fail('scd-server unreachable');
+        console.log(`${DIM}    ${baseUrl}${RESET}`);
+        allOk = false;
+      } else if (result.body && result.body.license) {
+        const lic = result.body.license;
+        if (lic.tier === 'invalid') {
+          // Strip support URL from reason — administrator should resolve, not end users
+          const reason = (lic.reason || 'unknown reason')
+            .replace(/\.?\s*Contact support@[^.]+\.com\.?/gi, '').trim();
+          fail(`scd-server license invalid — ${reason}`);
+          console.log(DIM + '    Contact your local scd-server administrator.' + RESET);
+          allOk = false;
+        } else if (lic.tier === 'development') {
+          ok('scd-server reachable', `development mode · ${baseUrl}`);
+        } else {
+          const exp = lic.expiry ? ` · expires ${lic.expiry}` : '';
+          ok('scd-server reachable', `${lic.tier}${exp} · ${baseUrl}`);
+        }
+
+        // Show server version + min CLI version
+        try {
+          const srvVer = result.body.version      || null;
+          const minVer = result.body.min_cli_version || null;
+          const { setServerVersionInfo } = require('./global-config');
+          setServerVersionInfo(srvVer, minVer);
+
+          if (srvVer) console.log(`${DIM}    Server version:   v${srvVer}${RESET}`);
+          if (minVer) console.log(`${DIM}    Min CLI version:  v${minVer}${RESET}`);
+
+          const { getVersionWarning } = require('./version-check');
+          const versionWarn = getVersionWarning();
+          if (versionWarn) {
+            console.log('');
+            console.log(`${YELLOW}    ${versionWarn.replace(/\n   /g, '\n    ')}${RESET}`);
+            allOk = false;
+          }
+        } catch { /* non-fatal */ }
+
+        // Show configured timeouts
+        try {
+          const { getServerTimeout, getDeepTimeout } = require('./global-config');
+          const sTout = getServerTimeout();
+          const dTout = getDeepTimeout();
+          const fmt   = ms => ms >= 60000 ? `${Math.round(ms/60000)}m` : `${Math.round(ms/1000)}s`;
+          console.log(`${DIM}    Server timeout: ${fmt(sTout)}  ·  Deep timeout: ${fmt(dTout)}${RESET}`);
+        } catch { /* non-fatal */ }
+      } else {
+        ok('scd-server reachable', baseUrl);
+      }
+    }
+  } catch { /* non-fatal */ }
+
+  // 6. Summary
+  console.log('');
+  if (allOk) {
+    console.log(GREEN + BOLD + ' ✅ Everything looks good!' + RESET);
+  } else {
+    console.log(RED + BOLD + ' ⚠️  Action required (see above)' + RESET);
+  }
+  console.log('');
+}
+
+
+function ok(msg, detail = null) {
+  console.log(`${GREEN} ✅ ${msg}${RESET}${detail ? DIM + ' – ' + detail + RESET : ''}`);
+}
+function fail(msg) {
+  console.log(`${RED} ❌ ${msg}${RESET}`);
+}
+function warn(msg, detail = null) {
+  console.log(`${YELLOW} ⚠️  ${msg}${RESET}${detail ? DIM + ' – ' + detail + RESET : ''}`);
+}
+function info(msg) {
+  console.log(`${CYAN} ℹ️  ${msg}${RESET}`);
+}
+
+module.exports = { doctor };