@bddiudiu/vibeguard 0.1.0

package/src/core/git.ts

@@ -0,0 +1,108 @@
+import { execSync } from "child_process";
+import { existsSync, readFileSync, writeFileSync, chmodSync } from "fs";
+import { join } from "path";
+
+export interface DiffEntry {
+  filePath: string;
+  diff: string;
+}
+
+const HOOK_PATH = ".git/hooks/pre-commit";
+
+const HOOK_CONTENT = `#!/bin/sh
+# VibeGuard pre-commit hook
+echo "🛡️  VibeGuard: scanning staged changes..."
+npx vibeguard scan
+exit $?
+`;
+
+/**
+ * 从暂存区提取 diff，过滤非代码文件。
+ */
+export function getCachedDiff(ignorePaths: string[] = []): DiffEntry[] {
+  const names = execSync("git diff --cached --name-only --diff-filter=ACMR", {
+    encoding: "utf-8",
+  })
+    .trim()
+    .split("\n")
+    .filter(Boolean);
+
+  if (names.length === 0) return [];
+
+  const binaryExts = [
+    ".png", ".jpg", ".jpeg", ".gif", ".ico", ".svg",
+    ".woff", ".woff2", ".ttf", ".eot",
+    ".zip", ".tar", ".gz", ".rar",
+    ".pdf", ".exe", ".bin",
+    ".mp3", ".mp4", ".avi",
+  ];
+
+  const entries: DiffEntry[] = [];
+
+  for (const name of names) {
+    if (binaryExts.some((ext) => name.endsWith(ext))) continue;
+    if (ignorePaths.some((p) => matchGlob(name, p))) continue;
+
+    try {
+      const diff = execSync(`git diff --cached -- "${name}"`, {
+        encoding: "utf-8",
+        maxBuffer: 1024 * 1024 * 2,
+      });
+      if (diff.trim()) {
+        entries.push({ filePath: name, diff });
+      }
+    } catch {
+      // 跳过无法读取的文件 (如新增的二进制文件)
+    }
+  }
+
+  return entries;
+}
+
+/**
+ * 安装 pre-commit hook
+ */
+export function installHook(): void {
+  const gitDir = execSync("git rev-parse --show-toplevel", {
+    encoding: "utf-8",
+  }).trim();
+  const hookPath = join(gitDir, ".git", "hooks", "pre-commit");
+
+  if (existsSync(hookPath)) {
+    const existing = readFileSync(hookPath, "utf-8");
+    if (existing.includes("VibeGuard")) {
+      return; // 已安装
+    }
+    // 备份已有 hook
+    writeFileSync(hookPath + ".bak", existing);
+  }
+
+  writeFileSync(hookPath, HOOK_CONTENT);
+  chmodSync(hookPath, 0o755);
+}
+
+/**
+ * 卸载 pre-commit hook
+ */
+export function uninstallHook(): void {
+  const gitDir = execSync("git rev-parse --show-toplevel", {
+    encoding: "utf-8",
+  }).trim();
+  const hookPath = join(gitDir, ".git", "hooks", "pre-commit");
+  const hookPathBak = hookPath + ".bak";
+
+  if (existsSync(hookPathBak)) {
+    const { renameSync } = require("fs");
+    renameSync(hookPathBak, hookPath);
+  } else if (existsSync(hookPath)) {
+    const { unlinkSync } = require("fs");
+    unlinkSync(hookPath);
+  }
+}
+
+function matchGlob(name: string, pattern: string): boolean {
+  const regex = new RegExp(
+    "^" + pattern.replace(/\*\*/g, ".*").replace(/\*/g, "[^/]*") + "$"
+  );
+  return regex.test(name);
+}

package/src/rules/hallucination.ts

@@ -0,0 +1,27 @@
+interface RulesConfig {
+  bannedImports: string[];
+  bannedPatterns: string[];
+}
+
+export function hallucinationPrompt(rules: RulesConfig): string {
+  let prompt = `## 幻觉检测规则
+
+请重点检查以下 AI 常见的幻觉特征:
+
+1. **虚假 API 调用**: AI 编造了不存在的函数、方法或参数。例如: requests.get_with_auto_retry()、lodash.deepClone() (注意 lodash 中实际是 cloneDeep)
+2. **逻辑矛盾**: 代码中存在前后矛盾的条件判断或变量使用
+3. **未实现的占位代码**: TODO、FIXME、placeholder、stub 等占位标记
+4. **虚构的库引用**: 引入了不存在的 npm 包或 Python 模块
+5. **类型/接口不匹配**: 函数签名与调用方式不一致
+6. **API 版本错误**: 使用了已废弃或不存在的 API 版本`;
+
+  if (rules.bannedImports.length > 0) {
+    prompt += `\n\n**禁止导入的库**: ${rules.bannedImports.join(", ")}`;
+  }
+
+  if (rules.bannedPatterns.length > 0) {
+    prompt += `\n\n**禁止使用的代码模式**: ${rules.bannedPatterns.join(", ")}`;
+  }
+
+  return prompt;
+}

package/src/rules/index.ts

@@ -0,0 +1,37 @@
+import { VibeguardConfig } from "../core/config.js";
+import { hallucinationPrompt } from "./hallucination.js";
+import { securityPrompt } from "./security.js";
+
+export function buildAuditPrompt(
+  diff: string,
+  config: VibeguardConfig
+): string {
+  const sections: string[] = [];
+
+  sections.push("请分析以下 git diff 变更，检测代码中的幻觉错误和安全风险。\n");
+
+  if (config.scan.hallucinationDetection) {
+    sections.push(hallucinationPrompt(config.rules));
+  }
+
+  if (config.scan.securityScan) {
+    sections.push(securityPrompt(config.rules));
+  }
+
+  sections.push(`---\n\n以下是待分析的 diff:\n\n\`\`\`diff\n${diff}\n\`\`\``);
+
+  sections.push(`
+请按照以下 JSON 格式返回检测结果（如果没有问题，返回空数组 []）:
+
+[
+  {
+    "line": 可选的行号,
+    "severity": "high" | "medium" | "low",
+    "category": "hallucination" | "security" | "banned-import" | "banned-pattern",
+    "message": "问题描述",
+    "suggestion": "可选的修复建议"
+  }
+]`);
+
+  return sections.join("\n\n");
+}

package/src/rules/security.ts

@@ -0,0 +1,25 @@
+interface RulesConfig {
+  bannedImports: string[];
+  bannedPatterns: string[];
+}
+
+export function securityPrompt(rules: RulesConfig): string {
+  let prompt = `## 安全扫描规则
+
+请重点检查以下安全风险:
+
+1. **硬编码密钥**: 检测 API Key、Secret、Token、密码等敏感信息被直接写入代码
+   - 匹配模式: key=xxx, token=xxx, secret=xxx, password=xxx, api_key=xxx
+   - 常见格式: sk-xxx, AKIAxxx, ghpxxxx, xoxb-xxx
+2. **注入风险**: SQL 注入、命令注入、XSS 等明显的注入漏洞
+   - 例如: 字符串拼接 SQL、eval() 执行用户输入、innerHTML 赋值
+3. **不安全的加密**: 使用 MD5、SHA1 等已知不安全的哈希算法
+4. **敏感信息泄露**: 将凭据输出到日志或返回给前端
+5. **危险函数调用**: eval(), new Function(), exec(), spawn() 等高危函数`;
+
+  if (rules.bannedPatterns.length > 0) {
+    prompt += `\n\n**禁止使用的代码模式**: ${rules.bannedPatterns.join(", ")}`;
+  }
+
+  return prompt;
+}

package/tests/hallucination.test.ts

@@ -0,0 +1,93 @@
+import { describe, it, expect } from "vitest";
+
+// 模拟幻觉检测的核心逻辑（纯规则匹配，不依赖 AI）
+function detectHardcodedSecrets(diff: string): string[] {
+  const patterns = [
+    /(?:api[_-]?key|token|secret|password)\s*[:=]\s*["'][^"']{8,}["']/gi,
+    /sk-[a-zA-Z0-9]{20,}/g,
+    /AKIA[0-9A-Z]{16}/g,
+    /ghp_[a-zA-Z0-9]{36}/g,
+    /xox[bpsa]-[a-zA-Z0-9-]+/g,
+  ];
+
+  const findings: string[] = [];
+  for (const pattern of patterns) {
+    const matches = diff.match(pattern);
+    if (matches) findings.push(...matches);
+  }
+  return findings;
+}
+
+function detectDangerousPatterns(diff: string): string[] {
+  const patterns = [
+    { regex: /eval\s*\(/g, name: "eval()" },
+    { regex: /new\s+Function\s*\(/g, name: "new Function()" },
+    { regex: /__import__\s*\(\s*["']os["']\s*\)/g, name: "__import__('os')" },
+  ];
+
+  const findings: string[] = [];
+  for (const { regex, name } of patterns) {
+    if (regex.test(diff)) findings.push(name);
+  }
+  return findings;
+}
+
+describe("VibeGuard 本地规则检测", () => {
+  describe("硬编码密钥检测", () => {
+    it("检测到 Python 风格的 API Key", () => {
+      const diff = '+ api_key = "sk-1234567890abcdef1234567890abcdef"';
+      const results = detectHardcodedSecrets(diff);
+      expect(results.length).toBeGreaterThan(0);
+    });
+
+    it("检测到 AWS Access Key", () => {
+      const diff = '+ AWS_ACCESS_KEY = "AKIAIOSFODNN7EXAMPLE"';
+      const results = detectHardcodedSecrets(diff);
+      expect(results.length).toBeGreaterThan(0);
+    });
+
+    it("检测到 GitHub Token", () => {
+      const diff = '+ GITHUB_TOKEN = "ghp_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef12"';
+      const results = detectHardcodedSecrets(diff);
+      expect(results.length).toBeGreaterThan(0);
+    });
+
+    it("检测到 Slack Token", () => {
+      const diff = '+ token = "xoxb-1234567890-1234567890123-abcdefghijklmnop"';
+      const results = detectHardcodedSecrets(diff);
+      expect(results.length).toBeGreaterThan(0);
+    });
+
+    it("不误报正常赋值", () => {
+      const diff = '+ const name = "hello world"';
+      const results = detectHardcodedSecrets(diff);
+      expect(results.length).toBe(0);
+    });
+  });
+
+  describe("危险模式检测", () => {
+    it("检测到 eval()", () => {
+      const diff = '+ eval(userInput)';
+      const results = detectDangerousPatterns(diff);
+      expect(results).toContain("eval()");
+    });
+
+    it("检测到 new Function()", () => {
+      const diff = '+ const fn = new Function("return 1")';
+      const results = detectDangerousPatterns(diff);
+      expect(results).toContain("new Function()");
+    });
+
+    it("检测到 Python __import__", () => {
+      const diff = '+ __import__("os").system(cmd)';
+      const results = detectDangerousPatterns(diff);
+      expect(results).toContain("__import__('os')");
+    });
+
+    it("正常代码不触发告警", () => {
+      const diff = '+ const x = require("lodash")';
+      const results = detectDangerousPatterns(diff);
+      expect(results.length).toBe(0);
+    });
+  });
+});

package/tsconfig.json

@@ -0,0 +1,19 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "Node16",
+    "moduleResolution": "Node16",
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "resolveJsonModule": true,
+    "declaration": true,
+    "declarationMap": true,
+    "sourceMap": true
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist", "tests"]
+}