@activemind/scd 1.4.0

package/lib/file-manifest.js

@@ -0,0 +1,145 @@
+'use strict';
+
+/**
+ * lib/file-manifest.js
+ *
+ * Pre-scan file classification — runs before any rules are applied.
+ *
+ * Classifies every file in the scan queue into a scan context:
+ *
+ *   source  — production code, scanned with full rule set
+ *   test    — test/fixture files, scanned with test rule set (stub for now)
+ *   excluded — vendor/generated files, not scanned, documented in output
+ *
+ * Classification is based on buildFileContext() from lib/file-context.js,
+ * which uses two-layer detection: path/filename signals + content confirmation.
+ * A file is only placed in the test context when classification is definitive
+ * (content confirms the path/filename signal, or content alone is sufficient).
+ * Tentative-only classifications fall back to source — conservative by design.
+ *
+ * This is the correct architectural layer for this decision. It replaces the
+ * previous approach of post-scan severity modifiers that compensated for
+ * findings in test files after rules had already been applied.
+ *
+ * Contexts are designed to be extensible — new contexts (e.g. 'config',
+ * 'migration', 'schema') can be added without changing the core scan loop.
+ * Individual contexts can also be force-included into the source loop via
+ * config in the future (e.g. config.scan.force_source_context: ['test']).
+ */
+
+const { buildFileContext, FILE_TYPES } = require('./file-context');
+
+/**
+ * File types that are excluded from scanning entirely.
+ * Vendor and generated files produce no actionable findings.
+ */
+const EXCLUDED_FILE_TYPES = new Set([
+  FILE_TYPES.VENDOR,
+  FILE_TYPES.GENERATED,
+]);
+
+/**
+ * File types that are routed to the test scan context.
+ * These are scanned with a separate, focused rule set (currently empty —
+ * test rules will be defined in a future iteration).
+ */
+const TEST_FILE_TYPES = new Set([
+  FILE_TYPES.TEST,
+  FILE_TYPES.FIXTURE,
+]);
+
+/**
+ * Build a file manifest by classifying all files before scanning begins.
+ *
+ * @param {Array<{filePath: string, content: string, ...}>} files
+ *   The full list of files prepared by the file collector, in their
+ *   original order. Each entry must have at minimum filePath and content.
+ *
+ * @returns {{
+ *   source:   Array,   — files to scan with source rules (full rule set)
+ *   test:     Array,   — files to scan with test rules (currently empty set)
+ *   excluded: Array<{filePath, reason, fileType}>,
+ *   summary:  {total, source, test, excluded},
+ *   contexts: Map<string, string>  — filePath → context name, for scan-cache
+ * }}
+ */
+function buildFileManifest(files) {
+  const source   = [];
+  const test     = [];
+  const excluded = [];
+  const contexts = new Map(); // filePath → 'source' | 'test' | 'excluded'
+
+  // fileContexts maps filePath → fileContext for all non-excluded files.
+  // Used by the secrets scanner which doesn't have file content available —
+  // it must reuse the manifest classification rather than call buildFileContext()
+  // without content (which would misclassify tentative test files as test
+  // instead of falling back to source).
+  const fileContexts = new Map();
+
+  for (const file of files) {
+    const { filePath, content } = file;
+
+    // buildFileContext() runs two-layer detection:
+    //   Layer 1: path/filename signals (tentative for test/fixture)
+    //   Layer 2: content confirmation (first 50 lines)
+    // If a tentative signal is not confirmed by content, fileType falls back
+    // to SOURCE. We therefore trust fileType directly — the manifest is the
+    // single authoritative classification for each file.
+    const ctx = buildFileContext(filePath, content);
+
+    if (EXCLUDED_FILE_TYPES.has(ctx.fileType)) {
+      excluded.push({
+        filePath,
+        fileType: ctx.fileType,
+        reason:   ctx.fileType === FILE_TYPES.VENDOR    ? 'vendor'    :
+                  ctx.fileType === FILE_TYPES.GENERATED ? 'generated' : ctx.fileType,
+        signals:  ctx.signals,
+      });
+      contexts.set(filePath, 'excluded');
+      // excluded files get no fileContext entry — they are not scanned
+
+    } else if (TEST_FILE_TYPES.has(ctx.fileType)) {
+      test.push({ ...file, fileContext: ctx });
+      contexts.set(filePath, 'test');
+      fileContexts.set(filePath, ctx);
+
+    } else {
+      // SOURCE, CONFIG, DOCS, or any unrecognised type → source context.
+      // Conservative: when in doubt, scan with full rule set.
+      source.push({ ...file, fileContext: ctx });
+      contexts.set(filePath, 'source');
+      fileContexts.set(filePath, ctx);
+    }
+  }
+
+  const summary = {
+    total:    files.length,
+    source:   source.length,
+    test:     test.length,
+    excluded: excluded.length,
+  };
+
+  return { source, test, excluded, summary, contexts, fileContexts };
+}
+
+/**
+ * Format a one-line manifest summary for terminal output.
+ * Shown before scanning begins so the user sees file breakdown upfront.
+ *
+ * Example:
+ *   "312 source · 47 test (separate context) · 12 excluded (vendor/generated)"
+ */
+function formatManifestSummary(summary) {
+  const parts = [`${summary.source} source`];
+
+  if (summary.test > 0) {
+    parts.push(`${summary.test} test (separate context)`);
+  }
+  if (summary.excluded > 0) {
+    parts.push(`${summary.excluded} excluded (vendor/generated)`);
+  }
+
+  return parts.join(' · ');
+}
+
+module.exports = { buildFileManifest, formatManifestSummary };

package/lib/git-utils.js

@@ -0,0 +1,102 @@
+/**
+ * git-utils.js
+ * Helpers to extract which files are relevant for each hook type.
+ *
+ * pre-commit  → files staged for this commit (git diff --cached)
+ * pre-push    → files changed vs remote (what will actually be pushed)
+ */
+
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+
+/**
+ * Returns a list of { filePath, content } objects for the relevant hook.
+ */
+async function getChangedFiles(hookType = 'pre-push') {
+  try {
+    let output = '';
+
+    if (hookType === 'pre-commit') {
+      // Files staged for the upcoming commit
+      output = execSync('git diff --cached --name-only --diff-filter=ACM', {
+        encoding: 'utf8'
+      });
+    } else {
+      // pre-push: files changed in commits not yet on remote
+      // Falls back to last commit if no remote configured (common in new repos)
+      try {
+        // Try against remote tracking branch first
+        output = execSync('git diff --name-only --diff-filter=ACM @{u} HEAD', {
+          encoding: 'utf8'
+        });
+      } catch {
+        try {
+          // Has more than one commit – diff against previous
+          output = execSync('git diff --name-only --diff-filter=ACM HEAD~1 HEAD', {
+            encoding: 'utf8'
+          });
+        } catch {
+          // Only one commit – list all tracked files
+          output = execSync('git diff --name-only --diff-filter=ACM --cached HEAD', {
+            encoding: 'utf8', shell: true
+          });
+          if (!output.trim()) {
+            // Absolute fallback: all files in repo
+            output = execSync('git ls-files', { encoding: 'utf8' });
+          }
+        }
+      }
+    }
+
+    const filePaths = output
+      .trim()
+      .split('\n')
+      .filter(Boolean)
+      .filter(f => shouldScanFile(f));
+
+    const files = [];
+    for (const filePath of filePaths) {
+      try {
+        if (hookType === 'pre-commit') {
+          // Read staged content (not working tree) via git show
+          const content = execSync(`git show :${filePath}`, { encoding: 'utf8' });
+          files.push({ filePath, content });
+        } else {
+          if (fs.existsSync(filePath)) {
+            const content = fs.readFileSync(filePath, 'utf8');
+            files.push({ filePath, content });
+          }
+        }
+      } catch {
+        // Binary file or unreadable – skip
+      }
+    }
+
+    return files;
+  } catch {
+    // Not in a git repo or no commits yet
+    return [];
+  }
+}
+
+/**
+ * Files we skip scanning (binary, dependencies, generated)
+ */
+function shouldScanFile(filePath) {
+  const skip = [
+    'node_modules/', '.git/', 'dist/', 'build/', '.next/',
+    'package-lock.json', 'yarn.lock', 'pnpm-lock.yaml',
+  ];
+  const skipExt = [
+    '.png', '.jpg', '.jpeg', '.gif', '.svg', '.ico',
+    '.woff', '.woff2', '.ttf', '.eot', '.pdf',
+    '.zip', '.tar', '.gz', '.map'
+  ];
+
+  if (skip.some(s => filePath.includes(s))) return false;
+  if (skipExt.some(e => filePath.endsWith(e))) return false;
+  return true;
+}
+
+module.exports = { getChangedFiles };

package/lib/global-config.js

@@ -0,0 +1,239 @@
+/**
+ * global-config.js
+ * Manages the global (user-level) Secure Code by Design configuration.
+ *
+ * Location: ~/.scd/config  (never inside a repo)
+ * Format:   KEY=VALUE  (simple, no external deps)
+ *
+ * Stored settings:
+ *   (extensible for future global settings)
+ *
+ * Security notes:
+ *   - File is created with mode 0600 (owner read/write only)
+ *   - API key is never printed in full – always masked
+ *   - scd configure --show reveals only first 12 + last 4 chars
+ */
+
+'use strict';
+
+const fs   = require('fs');
+const path = require('path');
+const os   = require('os');
+
+const GLOBAL_DIR      = path.join(os.homedir(), '.scd');
+const GLOBAL_CONFIG   = path.join(GLOBAL_DIR, 'config');
+const FILE_MODE       = 0o600;
+
+// ── Read/write helpers ─────────────────────────────────────────────────────
+
+function ensureDir() {
+  if (!fs.existsSync(GLOBAL_DIR)) {
+    fs.mkdirSync(GLOBAL_DIR, { recursive: true, mode: 0o700 });
+  }
+}
+
+function readRaw() {
+  if (!fs.existsSync(GLOBAL_CONFIG)) return {};
+  try {
+    const lines = fs.readFileSync(GLOBAL_CONFIG, 'utf8').split('\n');
+    const result = {};
+    for (const line of lines) {
+      const trimmed = line.trim();
+      if (!trimmed || trimmed.startsWith('#')) continue;
+      const eqIdx = trimmed.indexOf('=');
+      if (eqIdx === -1) continue;
+      const key = trimmed.slice(0, eqIdx).trim();
+      const val = trimmed.slice(eqIdx + 1).trim();
+      result[key] = val;
+    }
+    return result;
+  } catch {
+    return {};
+  }
+}
+
+function writeRaw(data) {
+  ensureDir();
+  const lines = [
+    '# Secure Code by Design – global configuration',
+    '# Managed by: scd configure',
+    '# NEVER share this file – it contains API keys',
+    '',
+    ...Object.entries(data).map(([k, v]) => `${k}=${v}`),
+    '',
+  ];
+  fs.writeFileSync(GLOBAL_CONFIG, lines.join('\n'), { mode: FILE_MODE, encoding: 'utf8' });
+  // Enforce permissions even if file already existed
+  try { fs.chmodSync(GLOBAL_CONFIG, FILE_MODE); } catch { /* ignore on Windows */ }
+}
+
+// ── Public API ─────────────────────────────────────────────────────────────
+
+/**
+ * Get a value from global config.
+ * Returns undefined if not set.
+ */
+function get(key) {
+  return readRaw()[key];
+}
+
+/**
+ * Set a key in global config.
+ */
+function set(key, value) {
+  const data = readRaw();
+  data[key] = value;
+  writeRaw(data);
+}
+
+/**
+ * Remove a key from global config.
+ * Returns true if the key existed and was removed.
+ */
+function remove(key) {
+  const data = readRaw();
+  if (!(key in data)) return false;
+  delete data[key];
+  writeRaw(data);
+  return true;
+}
+
+/**
+ * Get the configured central server URL.
+ * Returns null if not set.
+ */
+function getCentralUrl() {
+  return get('CENTRAL_URL') || null;
+}
+
+/**
+ * Set the central server URL.
+ */
+function setCentralUrl(url) {
+  // Normalize localhost → 127.0.0.1 to avoid IPv6 resolution issues.
+  // On macOS with Node 18, localhost resolves to ::1 but Express listens
+  // on IPv4 by default — resulting in ECONNREFUSED. Using 127.0.0.1 is
+  // always correct and avoids the ambiguity.
+  const normalized = url.replace(/\/\//g, '//').replace('//localhost', '//127.0.0.1').replace(/\/$/, '');
+  set('CENTRAL_URL', normalized);
+}
+
+/**
+ * Remove the central server URL (disables push queue).
+ */
+function removeCentralUrl() {
+  return remove('CENTRAL_URL');
+}
+
+/**
+ * Get the configured central server API token.
+ * Returns null if not set.
+ */
+function getCentralToken() {
+  return get('CENTRAL_TOKEN') || null;
+}
+
+/**
+ * Set the central server API token.
+ */
+function setCentralToken(token) {
+  set('CENTRAL_TOKEN', token.trim());
+}
+
+/**
+ * Remove the central server API token.
+ */
+function removeCentralToken() {
+  return remove('CENTRAL_TOKEN');
+}
+
+// ── Timeout configuration ─────────────────────────────────────────────────
+
+const TIMEOUT_DEFAULTS = {
+  SERVER_TIMEOUT_MS: 30000,     // 30 seconds — regular API calls
+  DEEP_TIMEOUT_MS:   1200000,   // 20 minutes — Ollama can be slow on CPU hardware
+};
+
+/**
+ * Parse human-readable timeout values: '30s', '5m', '1200000' (ms as string).
+ */
+function parseTimeoutArg(value) {
+  if (typeof value === 'number') return value;
+  const str = String(value).trim().toLowerCase();
+  if (str.endsWith('m')) {
+    const n = parseInt(str, 10);
+    if (isNaN(n)) throw new Error(`Invalid timeout value: ${value}`);
+    return n * 60 * 1000;
+  }
+  if (str.endsWith('s')) {
+    const n = parseInt(str, 10);
+    if (isNaN(n)) throw new Error(`Invalid timeout value: ${value}`);
+    return n * 1000;
+  }
+  const n = parseInt(str, 10);
+  if (isNaN(n)) throw new Error(`Invalid timeout value: ${value}`);
+  return n;
+}
+
+function getServerTimeout() {
+  const val = get('SERVER_TIMEOUT_MS');
+  const n   = val ? parseInt(val, 10) : NaN;
+  return isNaN(n) ? TIMEOUT_DEFAULTS.SERVER_TIMEOUT_MS : n;
+}
+
+function setServerTimeout(ms) {
+  set('SERVER_TIMEOUT_MS', String(ms));
+}
+
+function getDeepTimeout() {
+  const val = get('DEEP_TIMEOUT_MS');
+  const n   = val ? parseInt(val, 10) : NaN;
+  return isNaN(n) ? TIMEOUT_DEFAULTS.DEEP_TIMEOUT_MS : n;
+}
+
+function setDeepTimeout(ms) {
+  set('DEEP_TIMEOUT_MS', String(ms));
+}
+
+// ── Scan trace ────────────────────────────────────────────────────────────
+// When enabled, every finding (active and suppressed) carries a _trace object
+// in all scan-JSON files. Never shown in terminal output or reports.
+// Set manually: SCAN_TRACE=true in ~/.scd/config
+// Not exposed via scd configure — internal debug tool only.
+
+function getScanTrace() {
+  return get('SCAN_TRACE') === 'true';
+}
+
+function setScanTrace(enabled) {
+  set('SCAN_TRACE', enabled ? 'true' : 'false');
+}
+
+// ── Server version cache ──────────────────────────────────────────────────
+// Cached from health endpoint and batch responses.
+// Lets CLI warn about version mismatch without an extra network call.
+
+function getServerVersion() {
+  return get('SERVER_VERSION') || null;
+}
+
+function getMinCliVersion() {
+  return get('MIN_CLI_VERSION') || null;
+}
+
+function setServerVersionInfo(serverVersion, minCliVersion) {
+  if (serverVersion)  set('SERVER_VERSION',  serverVersion);
+  if (minCliVersion)  set('MIN_CLI_VERSION', minCliVersion);
+}
+
+module.exports = {
+  get, set, remove,
+  getCentralUrl, setCentralUrl, removeCentralUrl,
+  getCentralToken, setCentralToken, removeCentralToken,
+  getServerTimeout, setServerTimeout,
+  getDeepTimeout, setDeepTimeout,
+  getScanTrace, setScanTrace,
+  getServerVersion, getMinCliVersion, setServerVersionInfo,
+  parseTimeoutArg,
+  GLOBAL_CONFIG, GLOBAL_DIR,
+};

package/lib/hooks-manager.js

@@ -0,0 +1,130 @@
+/**
+ * hooks-manager.js
+ * Per-repo git hook management.
+ *
+ * scd init sets core.hooksPath globally (all repos protected by default).
+ * This module allows a specific repo to override that by setting
+ * core.hooksPath locally — either disabling hooks entirely or pointing
+ * explicitly back to ~/.scd/hooks.
+ *
+ * Status model:
+ *   enabled        — hooks active (local or global points to a real dir)
+ *   disabled       — explicitly disabled via scd repo hooks --disable
+ *                    (local override set to /dev/null or NUL)
+ *   global-broken  — no local override, but global points to /dev/null
+ *                    (user mistake or old demo setup — not a scd operation)
+ *   not-installed  — no hooksPath configured anywhere
+ *   unknown        — could not read git config (not a git repo etc.)
+ */
+
+'use strict';
+
+const { execSync } = require('child_process');
+const os   = require('os');
+const path = require('path');
+
+const HOOKS_DIR   = path.join(os.homedir(), '.scd', 'hooks');
+const NULL_DEVICE = process.platform === 'win32' ? 'NUL' : '/dev/null';
+
+function gitConfig(args, cwd) {
+  try {
+    const val = execSync('git config ' + args, {
+      encoding: 'utf8', cwd,
+      stdio: ['pipe', 'pipe', 'pipe'],   // suppress stderr (e.g. 'fatal: not a git repo')
+    }).trim();
+    return val || null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Returns true if the given path is inside a git repository.
+ */
+function isGitRepo(dirPath) {
+  try {
+    execSync('git rev-parse --git-dir', {
+      encoding: 'utf8', cwd: dirPath,
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function isNullDevice(p) {
+  return p === 'NUL' || p === '/dev/null';
+}
+
+/**
+ * Returns current hook status for the given repo root.
+ * @returns {{ status: string, hooksPath: string|null, source: 'local'|'global'|null }}
+ */
+function getHookStatus(repoRoot) {
+  try {
+    // 0. Check path exists and is a git repo
+    if (!require('fs').existsSync(repoRoot)) {
+      return { status: 'missing', hooksPath: null, source: null };
+    }
+    if (!isGitRepo(repoRoot)) {
+      return { status: 'not-a-git-repo', hooksPath: null, source: null };
+    }
+
+    // 1. Local .git/config override (repo-specific, set by scd repo hooks)
+    const localPath = gitConfig('--local core.hooksPath', repoRoot);
+    if (localPath !== null) {
+      return {
+        status:    isNullDevice(localPath) ? 'disabled' : 'enabled',
+        hooksPath: localPath,
+        source:    'local',
+      };
+    }
+
+    // 2. Global ~/.gitconfig (applies to all repos without local override)
+    const globalPath = gitConfig('--global core.hooksPath', repoRoot);
+    if (globalPath !== null) {
+      if (isNullDevice(globalPath)) {
+        // Global is broken — not a scd-managed per-repo disable
+        return { status: 'global-broken', hooksPath: globalPath, source: 'global' };
+      }
+      return { status: 'enabled', hooksPath: globalPath, source: 'global' };
+    }
+
+    return { status: 'not-installed', hooksPath: null, source: null };
+
+  } catch {
+    return { status: 'unknown', hooksPath: null, source: null };
+  }
+}
+
+/**
+ * Disable hooks for this repo by setting local core.hooksPath to /dev/null.
+ * This overrides the global setting without affecting other repos.
+ */
+function disableHooks(repoRoot) {
+  execSync(`git config --local core.hooksPath "${NULL_DEVICE}"`, {
+    encoding: 'utf8', cwd: repoRoot,
+  });
+}
+
+/**
+ * Re-enable hooks for this repo.
+ *
+ * Strategy: set local core.hooksPath explicitly to ~/.scd/hooks rather
+ * than just unsetting the local key. This is safer because:
+ *   - If global is /dev/null (like after a demo), unset would still leave
+ *     hooks disabled — not what the user wants.
+ *   - Explicit local set ensures hooks are active regardless of global state.
+ *
+ * To fully clean up (no local override at all), the user can run:
+ *   git config --local --unset core.hooksPath
+ * But for scd's purposes, explicit re-enable is the right default.
+ */
+function enableHooks(repoRoot) {
+  execSync(`git config --local core.hooksPath "${HOOKS_DIR}"`, {
+    encoding: 'utf8', cwd: repoRoot,
+  });
+}
+
+module.exports = { getHookStatus, disableHooks, enableHooks, HOOKS_DIR, isNullDevice, isGitRepo };