@build-astron-co/nimbus 0.2.0 → 0.4.0

package/src/commands/audit/index.ts

@@ -203,18 +203,130 @@ export async function auditExportCommand(options: AuditExportCommandOptions): Pr
   }
 }
 
+/** Options for the audit scan subcommand */
+export interface AuditScanOptions {
+  /** Compliance framework filter */
+  framework?: 'soc2' | 'hipaa' | 'pci' | 'iso27001';
+  /** Write JSON report to this file */
+  output?: string;
+  /** Directory to scan (default: cwd) */
+  dir?: string;
+  /** Exit code 1 if findings exceed this count */
+  threshold?: number;
+}
+
+/**
+ * Parse audit scan options from CLI args
+ */
+export function parseAuditScanOptions(args: string[]): AuditScanOptions {
+  const options: AuditScanOptions = {};
+
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg === '--framework' && args[i + 1]) {
+      options.framework = args[++i] as AuditScanOptions['framework'];
+    } else if ((arg === '--output' || arg === '-o') && args[i + 1]) {
+      options.output = args[++i];
+    } else if ((arg === '--dir' || arg === '-d') && args[i + 1]) {
+      options.dir = args[++i];
+    } else if (arg === '--threshold' && args[i + 1]) {
+      options.threshold = parseInt(args[++i], 10);
+    }
+  }
+
+  return options;
+}
+
+/**
+ * Audit scan subcommand — runs the local security scanner
+ */
+export async function auditScanCommand(options: AuditScanOptions): Promise<void> {
+  const { scanSecurity } = await import('../../audit/security-scanner');
+  const dir = options.dir ?? process.cwd();
+
+  ui.startSpinner({ message: `Scanning ${dir} for security issues...` });
+
+  let result;
+  try {
+    result = await scanSecurity({ dir });
+  } catch (e: any) {
+    ui.stopSpinnerFail('Scan failed');
+    ui.error(e.message);
+    return;
+  }
+
+  ui.stopSpinnerSuccess(
+    `Scan complete: ${result.findings.length} finding(s) in ${result.scannedFiles} file(s)`
+  );
+
+  // Filter by framework if provided (maps framework to relevant finding IDs)
+  let findings = result.findings;
+  if (options.framework) {
+    // Each framework maps loosely to severity thresholds
+    const frameworkSeverityMap: Record<string, string[]> = {
+      soc2: ['CRITICAL', 'HIGH', 'MEDIUM'],
+      hipaa: ['CRITICAL', 'HIGH', 'MEDIUM'],
+      pci: ['CRITICAL', 'HIGH'],
+      iso27001: ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW'],
+    };
+    const allowedSeverities = frameworkSeverityMap[options.framework] ?? [];
+    findings = findings.filter((f: { severity: string }) => allowedSeverities.includes(f.severity));
+    ui.dim(`Framework filter (${options.framework}): showing ${findings.length} relevant finding(s)`);
+  }
+
+  if (findings.length === 0) {
+    ui.info('No findings. Scan clean.');
+  } else {
+    ui.newLine();
+    for (const finding of findings) {
+      const severityColor = finding.severity === 'CRITICAL' || finding.severity === 'HIGH'
+        ? 'red'
+        : finding.severity === 'MEDIUM'
+        ? 'yellow'
+        : 'white';
+      ui.print(`[${ui.color(finding.severity, severityColor)}] ${finding.id}: ${finding.title}`);
+      if (finding.file) ui.dim(`  File: ${finding.file}${finding.line ? `:${finding.line}` : ''}`);
+      ui.dim(`  ${finding.recommendation}`);
+      ui.newLine();
+    }
+  }
+
+  // Write JSON report to file if requested
+  if (options.output) {
+    const report = {
+      timestamp: result.timestamp.toISOString(),
+      scannedFiles: result.scannedFiles,
+      scanDuration: result.scanDuration,
+      framework: options.framework ?? null,
+      findingsCount: findings.length,
+      findings,
+    };
+    fs.writeFileSync(options.output, JSON.stringify(report, null, 2), 'utf-8');
+    ui.print(`Report written to ${options.output}`);
+  }
+
+  // Threshold check — exit code 1 if too many findings
+  if (options.threshold !== undefined && findings.length > options.threshold) {
+    ui.error(`Findings (${findings.length}) exceeded threshold (${options.threshold}). Exiting with code 1.`);
+    process.exit(1);
+  }
+}
+
 /**
  * Main audit command dispatcher
  */
 export async function auditCommand(subcommand: string, args: string[]): Promise<void> {
   switch (subcommand) {
     case 'list':
-    case undefined:
+    case '':
       await auditListCommand(parseAuditListOptions(args));
       break;
     case 'export':
       await auditExportCommand(parseAuditExportOptions(args));
       break;
+    case 'scan':
+      await auditScanCommand(parseAuditScanOptions(args));
+      break;
     default:
       ui.error(`Unknown audit command: ${subcommand}`);
       ui.newLine();
@@ -222,8 +334,9 @@ export async function auditCommand(subcommand: string, args: string[]): Promise<
       ui.print('  nimbus audit                      - List audit logs');
       ui.print('  nimbus audit list                 - List audit logs');
       ui.print('  nimbus audit export               - Export audit logs');
+      ui.print('  nimbus audit scan                 - Scan directory for security issues');
       ui.newLine();
-      ui.info('Options:');
+      ui.info('Options (list):');
       ui.print('  --since <time>   Filter logs since (e.g., 7d, 24h, 2024-01-01)');
       ui.print('  --until <time>   Filter logs until');
       ui.print('  --action <type>  Filter by action type');
@@ -231,6 +344,12 @@ export async function auditCommand(subcommand: string, args: string[]): Promise<
       ui.print('  --limit <n>      Number of logs to show');
       ui.print('  --json           Output as JSON');
       ui.newLine();
+      ui.info('Options (scan):');
+      ui.print('  --framework <f>  Compliance framework: soc2|hipaa|pci|iso27001');
+      ui.print('  --output <file>  Write JSON report to file');
+      ui.print('  --dir <path>     Directory to scan (default: cwd)');
+      ui.print('  --threshold <n>  Exit code 1 if findings exceed this count');
+      ui.newLine();
       ui.info('Export options:');
       ui.print('  --format <type>  Export format (csv|json)');
       ui.print('  --output <file>  Output file path');

package/src/commands/auth-cloud.ts

@@ -265,6 +265,91 @@ export async function authAzureCommand(options: AuthCloudOptions = {}): Promise<
   ui.success('Azure credentials are configured and valid');
 }
 
+/**
+ * H1: AWS SSO Login — delegates to `aws sso login` so the CLI handles the browser flow.
+ * spawnSync with stdio: 'inherit' so device codes / browser prompts appear in terminal.
+ */
+export async function loginAwsCommand(options: AuthCloudOptions = {}): Promise<void> {
+  const installed = await isCliInstalled('aws');
+  if (!installed) {
+    ui.error('AWS CLI is not installed. Install from https://aws.amazon.com/cli/');
+    return;
+  }
+
+  ui.info('Launching AWS SSO login...');
+  ui.print(ui.dim('The browser (or device code) flow is handled by the AWS CLI.'));
+  ui.newLine();
+
+  const { spawnSync } = await import('child_process');
+  const args = ['sso', 'login'];
+  if (options.profile) {
+    args.push('--profile', options.profile);
+  }
+
+  const result = spawnSync('aws', args, { stdio: 'inherit' });
+  if (result.status === 0) {
+    ui.success('AWS SSO login completed successfully.');
+  } else {
+    ui.error('AWS SSO login failed or was cancelled.');
+  }
+}
+
+/**
+ * H1: GCP Login — delegates to `gcloud auth login --no-launch-browser` (device code flow).
+ */
+export async function loginGcpCommand(options: AuthCloudOptions = {}): Promise<void> {
+  const installed = await isCliInstalled('gcloud');
+  if (!installed) {
+    ui.error('Google Cloud SDK not installed. See https://cloud.google.com/sdk/docs/install');
+    return;
+  }
+
+  ui.info('Launching GCP device-code login...');
+  ui.print(ui.dim('Follow the URL and code shown below to complete authentication.'));
+  ui.newLine();
+
+  const { spawnSync } = await import('child_process');
+  const args = ['auth', 'login', '--no-launch-browser'];
+  if (options.project) {
+    args.push('--project', options.project);
+  }
+
+  const result = spawnSync('gcloud', args, { stdio: 'inherit' });
+  if (result.status === 0) {
+    ui.success('GCP login completed successfully.');
+  } else {
+    ui.error('GCP login failed or was cancelled.');
+  }
+}
+
+/**
+ * H1: Azure Login — delegates to `az login --use-device-code`.
+ */
+export async function loginAzureCommand(options: AuthCloudOptions = {}): Promise<void> {
+  const installed = await isCliInstalled('az');
+  if (!installed) {
+    ui.error('Azure CLI not installed. See https://learn.microsoft.com/en-us/cli/azure/install-azure-cli');
+    return;
+  }
+
+  ui.info('Launching Azure device-code login...');
+  ui.print(ui.dim('Follow the URL and code shown below to complete authentication.'));
+  ui.newLine();
+
+  const { spawnSync } = await import('child_process');
+  const args = ['login', '--use-device-code'];
+  if (options.subscription) {
+    args.push('--subscription', options.subscription);
+  }
+
+  const result = spawnSync('az', args, { stdio: 'inherit' });
+  if (result.status === 0) {
+    ui.success('Azure login completed successfully.');
+  } else {
+    ui.error('Azure login failed or was cancelled.');
+  }
+}
+
 /**
  * Cloud auth parent command router
  */
@@ -292,3 +377,31 @@ export async function authCloudCommand(
       ui.print('  nimbus auth azure   — Validate Azure credentials');
   }
 }
+
+/**
+ * Cloud login command router — delegates to CLI tools for SSO/OAuth flows (H1).
+ */
+export async function loginCloudCommand(
+  provider: string,
+  options: AuthCloudOptions = {}
+): Promise<void> {
+  switch (provider) {
+    case 'aws':
+      await loginAwsCommand(options);
+      break;
+    case 'gcp':
+    case 'google':
+      await loginGcpCommand(options);
+      break;
+    case 'azure':
+      await loginAzureCommand(options);
+      break;
+    default:
+      ui.error(`Unknown cloud provider: ${provider}`);
+      ui.newLine();
+      ui.print('Supported providers:');
+      ui.print('  nimbus auth login aws     — AWS SSO login (browser/device code)');
+      ui.print('  nimbus auth login gcp     — GCP device-code login');
+      ui.print('  nimbus auth login azure   — Azure device-code login');
+  }
+}

package/src/commands/auth-refresh.ts

@@ -0,0 +1,187 @@
+/**
+ * Auth Refresh Command
+ *
+ * Re-validate and refresh cloud provider credentials:
+ * - AWS: re-run SSO login or warn about expired temporary credentials
+ * - GCP: re-run gcloud auth application-default login
+ * - Azure: re-run az login
+ *
+ * Usage: nimbus auth-refresh [--provider aws|gcp|azure]
+ */
+
+import { ui } from '../wizard';
+import { exec } from 'node:child_process';
+import { promisify } from 'node:util';
+
+const execAsync = promisify(exec);
+
+export interface AuthRefreshOptions {
+  provider?: 'aws' | 'gcp' | 'azure' | 'all';
+}
+
+/** Check if AWS credentials are valid and not expired */
+async function checkAWSCredentials(): Promise<{ valid: boolean; message: string; sso: boolean }> {
+  try {
+    const { stdout } = await execAsync('aws sts get-caller-identity --output json', {
+      timeout: 10_000,
+    });
+    const identity = JSON.parse(stdout);
+    const isSso = identity.UserId?.includes(':') || false;
+    return {
+      valid: true,
+      message: `Account: ${identity.Account} | User: ${identity.UserId}`,
+      sso: isSso,
+    };
+  } catch (e: any) {
+    const msg = e.message || String(e);
+    const isExpired =
+      msg.includes('ExpiredToken') || msg.includes('expired') || msg.includes('token');
+    return { valid: false, message: isExpired ? 'Token expired' : msg, sso: false };
+  }
+}
+
+/** Refresh AWS SSO credentials */
+async function refreshAWS(options: AuthRefreshOptions): Promise<void> {
+  ui.header('AWS Credentials');
+
+  const check = await checkAWSCredentials();
+
+  if (check.valid) {
+    ui.success(`Credentials valid: ${check.message}`);
+    return;
+  }
+
+  ui.warning(`Credentials invalid: ${check.message}`);
+
+  // G18: Guide user through AWS SSO login if SSO profile detected
+  const awsSsoProfile = process.env.AWS_PROFILE;
+  if (awsSsoProfile) {
+    ui.info(`AWS SSO profile detected: ${awsSsoProfile}`);
+    ui.info(`Run in another terminal: aws sso login --profile ${awsSsoProfile}`);
+    ui.info('Then press Enter here to retry...');
+    // Wait for user to press Enter
+    await new Promise<void>(resolve => {
+      const readline = require('readline') as typeof import('readline');
+      const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+      rl.question('', () => { rl.close(); resolve(); });
+    });
+    // Retry the credentials check
+    try {
+      const { execFileSync } = await import('node:child_process');
+      execFileSync('aws', ['sts', 'get-caller-identity'], {
+        encoding: 'utf-8', timeout: 8000, stdio: ['pipe', 'pipe', 'pipe'],
+      });
+      ui.success('AWS credentials refreshed successfully.');
+      return;
+    } catch {
+      ui.warning('AWS credentials still invalid. You may need to re-run aws sso login.');
+    }
+  }
+
+  // Determine refresh method
+  try {
+    // Check if SSO is configured
+    const { stdout: ssoCheck } = await execAsync(
+      'aws configure list-profiles 2>/dev/null || echo ""',
+      { timeout: 5000 }
+    );
+    const profiles = ssoCheck.trim().split('\n').filter(Boolean);
+
+    if (profiles.length > 0) {
+      ui.info('Refreshing AWS SSO credentials...');
+      ui.info(`Run: aws sso login --profile ${profiles[0]}`);
+      ui.info('Or set a new profile: aws configure sso');
+    } else {
+      ui.info('To refresh AWS credentials:');
+      ui.info('  1. aws configure  (for long-term credentials)');
+      ui.info('  2. aws sso configure  (for SSO)');
+      ui.info('  3. aws sts assume-role  (for role assumption)');
+    }
+  } catch {
+    ui.info('To configure AWS credentials: aws configure');
+  }
+}
+
+/** Refresh GCP credentials */
+async function refreshGCP(_options: AuthRefreshOptions): Promise<void> {
+  ui.header('GCP Credentials');
+
+  try {
+    const { stdout } = await execAsync('gcloud auth print-access-token 2>/dev/null', {
+      timeout: 5000,
+    });
+    if (stdout.trim().length > 10) {
+      try {
+        const { stdout: proj } = await execAsync('gcloud config get-value project 2>/dev/null', {
+          timeout: 3000,
+        });
+        ui.success(`Credentials valid. Project: ${proj.trim() || '(not set)'}`);
+        return;
+      } catch {
+        ui.success('Credentials valid');
+        return;
+      }
+    }
+  } catch {
+    // Not valid
+  }
+
+  ui.warning('GCP credentials expired or not configured');
+  ui.info('To refresh: gcloud auth application-default login');
+  ui.info('For service accounts: gcloud auth activate-service-account --key-file=SA_KEY.json');
+}
+
+/** Refresh Azure credentials */
+async function refreshAzure(_options: AuthRefreshOptions): Promise<void> {
+  ui.header('Azure Credentials');
+
+  try {
+    const { stdout } = await execAsync('az account show --output json 2>/dev/null', {
+      timeout: 10_000,
+    });
+    const account = JSON.parse(stdout);
+    ui.success(
+      `Credentials valid. Subscription: ${account.name || account.id} (${account.state})`
+    );
+    if (account.state !== 'Enabled') {
+      ui.warning('Subscription is not in Enabled state');
+    }
+    return;
+  } catch {
+    // Not valid
+  }
+
+  ui.warning('Azure credentials expired or not configured');
+  ui.info('To refresh: az login');
+  ui.info('For service principals: az login --service-principal -u CLIENT_ID -p CLIENT_SECRET --tenant TENANT_ID');
+}
+
+/**
+ * Run the auth-refresh command
+ */
+export async function authRefreshCommand(options: AuthRefreshOptions = {}): Promise<void> {
+  const provider = options.provider ?? 'all';
+
+  ui.header('Nimbus Auth Refresh');
+  ui.info('Checking and refreshing cloud provider credentials...');
+  ui.newLine();
+
+  if (provider === 'all' || provider === 'aws') {
+    await refreshAWS(options);
+    ui.newLine();
+  }
+
+  if (provider === 'all' || provider === 'gcp') {
+    await refreshGCP(options);
+    ui.newLine();
+  }
+
+  if (provider === 'all' || provider === 'azure') {
+    await refreshAzure(options);
+    ui.newLine();
+  }
+
+  ui.info('Tip: Run "nimbus doctor" for a full system check');
+}
+
+export default authRefreshCommand;