@complior/engine 0.9.0

package/src/domain/scanner/sbom.test.ts

@@ -0,0 +1,136 @@
+import { describe, it, expect } from 'vitest';
+import { generateSbom, classifyComponents } from './sbom.js';
+import type { ParsedDependency } from './layers/layer3-parsers.js';
+
+const makeDep = (overrides: Partial<ParsedDependency> = {}): ParsedDependency => ({
+  name: 'express',
+  version: '^4.18.0',
+  ecosystem: 'npm',
+  ...overrides,
+});
+
+describe('classifyComponents', () => {
+  it('classifies regular library', () => {
+    const components = classifyComponents([makeDep({ name: 'express' })]);
+
+    expect(components).toHaveLength(1);
+    expect(components[0].type).toBe('library');
+    expect(components[0].isAiSdk).toBe(false);
+    expect(components[0].isBanned).toBe(false);
+  });
+
+  it('classifies AI SDK as framework', () => {
+    const components = classifyComponents([makeDep({ name: 'openai', version: '^4.0.0' })]);
+
+    expect(components).toHaveLength(1);
+    expect(components[0].type).toBe('framework');
+    expect(components[0].isAiSdk).toBe(true);
+  });
+
+  it('flags banned packages', () => {
+    const components = classifyComponents([makeDep({ name: 'deepface', ecosystem: 'pip' })]);
+
+    expect(components).toHaveLength(1);
+    expect(components[0].isBanned).toBe(true);
+  });
+
+  it('handles mixed dependencies', () => {
+    const deps = [
+      makeDep({ name: 'express' }),
+      makeDep({ name: 'openai' }),
+      makeDep({ name: 'deepface', ecosystem: 'pip' }),
+      makeDep({ name: 'react' }),
+    ];
+
+    const components = classifyComponents(deps);
+
+    expect(components).toHaveLength(4);
+    expect(components.filter((c) => c.isAiSdk)).toHaveLength(1);
+    expect(components.filter((c) => c.isBanned)).toHaveLength(1);
+  });
+});
+
+describe('generateSbom', () => {
+  it('returns valid CycloneDX 1.5 format', () => {
+    const sbom = generateSbom([makeDep()]);
+
+    expect(sbom.bomFormat).toBe('CycloneDX');
+    expect(sbom.specVersion).toBe('1.5');
+    expect(sbom.version).toBe(1);
+    expect(sbom.serialNumber).toMatch(/^urn:uuid:/);
+  });
+
+  it('includes metadata with timestamp and tools', () => {
+    const sbom = generateSbom([makeDep()]);
+
+    expect(sbom.metadata.timestamp).toBeTruthy();
+    expect(sbom.metadata.tools).toHaveLength(1);
+    expect(sbom.metadata.tools[0].name).toBe('complior');
+  });
+
+  it('generates purl for npm packages', () => {
+    const sbom = generateSbom([makeDep({ name: 'express', version: '^4.18.0', ecosystem: 'npm' })]);
+
+    expect(sbom.components[0].purl).toBe('pkg:npm/express@4.18.0');
+  });
+
+  it('generates purl for pip packages', () => {
+    const sbom = generateSbom([makeDep({ name: 'requests', version: '>=2.28.0', ecosystem: 'pip' })]);
+
+    expect(sbom.components[0].purl).toBe('pkg:pypi/requests@2.28.0');
+  });
+
+  it('generates purl for cargo packages', () => {
+    const sbom = generateSbom([makeDep({ name: 'tokio', version: '1.28', ecosystem: 'cargo' })]);
+
+    expect(sbom.components[0].purl).toBe('pkg:cargo/tokio@1.28');
+  });
+
+  it('adds complior:ai-sdk property for AI SDKs', () => {
+    const sbom = generateSbom([makeDep({ name: 'openai', version: '^4.0.0' })]);
+
+    const aiProp = sbom.components[0].properties?.find((p) => p.name === 'complior:ai-sdk');
+    expect(aiProp).toBeDefined();
+    expect(aiProp?.value).toBe('true');
+  });
+
+  it('adds complior:banned property for banned packages', () => {
+    const sbom = generateSbom([makeDep({ name: 'deepface', ecosystem: 'pip', version: '0.1.0' })]);
+
+    const bannedProp = sbom.components[0].properties?.find((p) => p.name === 'complior:banned');
+    expect(bannedProp).toBeDefined();
+    expect(bannedProp?.value).toBe('true');
+  });
+
+  it('handles empty dependency list', () => {
+    const sbom = generateSbom([]);
+
+    expect(sbom.components).toHaveLength(0);
+    expect(sbom.bomFormat).toBe('CycloneDX');
+  });
+
+  it('generates unique serial numbers', () => {
+    const sbom1 = generateSbom([makeDep()]);
+    const sbom2 = generateSbom([makeDep()]);
+
+    expect(sbom1.serialNumber).not.toBe(sbom2.serialNumber);
+  });
+
+  it('strips version prefixes in components', () => {
+    const sbom = generateSbom([makeDep({ name: 'react', version: '~18.2.0' })]);
+
+    expect(sbom.components[0].version).toBe('18.2.0');
+  });
+
+  it('includes ecosystem property on all components', () => {
+    const sbom = generateSbom([
+      makeDep({ ecosystem: 'npm' }),
+      makeDep({ name: 'flask', ecosystem: 'pip' }),
+    ]);
+
+    for (const component of sbom.components) {
+      const ecosystemProp = component.properties?.find((p) => p.name === 'complior:ecosystem');
+      expect(ecosystemProp).toBeDefined();
+    }
+  });
+});

package/src/domain/scanner/sbom.ts

@@ -0,0 +1,103 @@
+import type { ParsedDependency } from './layers/layer3-parsers.js';
+import { isBannedPackage, isAiSdkPackage } from './rules/banned-packages.js';
+import { SCANNER_RULES_VERSION } from './regulation-version.js';
+
+export interface SbomComponent {
+  readonly type: 'library' | 'framework';
+  readonly name: string;
+  readonly version: string;
+  readonly ecosystem: string;
+  readonly isAiSdk: boolean;
+  readonly isBanned: boolean;
+  readonly licenses?: readonly string[];
+}
+
+// CycloneDX 1.5 JSON structure (simplified to match spec without external deps)
+export interface CycloneDxBom {
+  readonly bomFormat: 'CycloneDX';
+  readonly specVersion: '1.5';
+  readonly serialNumber: string;
+  readonly version: number;
+  readonly metadata: {
+    readonly timestamp: string;
+    readonly tools: readonly { readonly name: string; readonly version: string }[];
+  };
+  readonly components: readonly CycloneDxComponent[];
+}
+
+interface CycloneDxComponent {
+  readonly type: 'library' | 'framework';
+  readonly name: string;
+  readonly version: string;
+  readonly purl?: string;
+  readonly properties?: readonly { readonly name: string; readonly value: string }[];
+}
+
+const ecosystemToPurlType = (ecosystem: string): string => {
+  switch (ecosystem) {
+    case 'npm': return 'npm';
+    case 'pip': return 'pypi';
+    case 'cargo': return 'cargo';
+    case 'go': return 'golang';
+    default: return 'generic';
+  }
+};
+
+const generatePurl = (name: string, version: string, ecosystem: string): string => {
+  const purlType = ecosystemToPurlType(ecosystem);
+  const cleanVersion = version.replace(/^[\^~>=<]+/, '');
+  return `pkg:${purlType}/${encodeURIComponent(name)}@${cleanVersion}`;
+};
+
+const generateSerialNumber = (): string => {
+  const hex = (n: number): string => Math.floor(Math.random() * 16 ** n).toString(16).padStart(n, '0');
+  return `urn:uuid:${hex(8)}-${hex(4)}-${hex(4)}-${hex(4)}-${hex(12)}`;
+};
+
+export const classifyComponents = (
+  dependencies: readonly ParsedDependency[],
+): readonly SbomComponent[] =>
+  dependencies.map((dep): SbomComponent => {
+    const aiSdk = isAiSdkPackage(dep.name);
+    const banned = isBannedPackage(dep.name);
+
+    return {
+      type: aiSdk !== undefined ? 'framework' : 'library',
+      name: dep.name,
+      version: dep.version,
+      ecosystem: dep.ecosystem,
+      isAiSdk: aiSdk !== undefined,
+      isBanned: banned !== undefined,
+    };
+  });
+
+export const generateSbom = (
+  dependencies: readonly ParsedDependency[],
+): CycloneDxBom => {
+  const components = classifyComponents(dependencies);
+
+  return {
+    bomFormat: 'CycloneDX',
+    specVersion: '1.5',
+    serialNumber: generateSerialNumber(),
+    version: 1,
+    metadata: {
+      timestamp: new Date().toISOString(),
+      tools: [{
+        name: 'complior',
+        version: SCANNER_RULES_VERSION,
+      }],
+    },
+    components: components.map((c): CycloneDxComponent => ({
+      type: c.type,
+      name: c.name,
+      version: c.version.replace(/^[\^~>=<]+/, ''),
+      purl: generatePurl(c.name, c.version, c.ecosystem),
+      properties: [
+        { name: 'complior:ecosystem', value: c.ecosystem },
+        ...(c.isAiSdk ? [{ name: 'complior:ai-sdk', value: 'true' }] : []),
+        ...(c.isBanned ? [{ name: 'complior:banned', value: 'true' }] : []),
+      ],
+    })),
+  };
+};

package/src/domain/scanner/scan-cache.test.ts

@@ -0,0 +1,136 @@
+import { describe, it, expect } from 'vitest';
+import { createScanCache } from './scan-cache.js';
+import type { CacheStorage, ScanCacheData } from './scan-cache.js';
+import { createFileCacheStorage } from '../../infra/cache-storage.js';
+import { mkdirSync, rmSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+
+/** In-memory storage for unit tests (no disk I/O). */
+const createMemoryStorage = (): CacheStorage & { data?: ScanCacheData } => {
+  let stored: ScanCacheData | undefined;
+  return {
+    load: () => stored,
+    save: (data) => { stored = data; },
+    get data() { return stored; },
+  };
+};
+
+describe('ScanCache', () => {
+  it('returns undefined for uncached file', () => {
+    const cache = createScanCache();
+    const result = cache.get('src/app.ts', 'const x = 1;', Date.now());
+    expect(result).toBeUndefined();
+    expect(cache.stats().misses).toBe(1);
+  });
+
+  it('returns cached results for unchanged file (same mtime)', () => {
+    const cache = createScanCache();
+    const mtime = Date.now();
+    const results = [{ type: 'pass' as const, checkId: 'l4-disclosure', message: 'found' }];
+
+    cache.set('src/app.ts', 'const x = 1;', mtime, results, 'L4');
+    const cached = cache.get('src/app.ts', 'const x = 1;', mtime);
+
+    expect(cached).toEqual(results);
+    expect(cache.stats().hits).toBe(1);
+  });
+
+  it('returns cached results when mtime changed but content same', () => {
+    const cache = createScanCache();
+    const content = 'const x = 1;';
+    const results = [{ type: 'pass' as const, checkId: 'l4-disclosure', message: 'found' }];
+
+    cache.set('src/app.ts', content, 1000, results, 'L4');
+    const cached = cache.get('src/app.ts', content, 2000); // different mtime
+
+    expect(cached).toEqual(results);
+    expect(cache.stats().hits).toBe(1);
+  });
+
+  it('returns undefined when content actually changed', () => {
+    const cache = createScanCache();
+    const results = [{ type: 'pass' as const, checkId: 'l4-disclosure', message: 'found' }];
+
+    cache.set('src/app.ts', 'const x = 1;', 1000, results, 'L4');
+    const cached = cache.get('src/app.ts', 'const x = 2;', 2000); // different content
+
+    expect(cached).toBeUndefined();
+    expect(cache.stats().misses).toBe(1);
+  });
+
+  it('persists and loads cache via storage port', () => {
+    const storage = createMemoryStorage();
+    const cache1 = createScanCache(storage);
+    const results = [{ type: 'pass' as const, checkId: 'l4-disclosure', message: 'found' }];
+    cache1.set('src/app.ts', 'const x = 1;', 1000, results, 'L4');
+    cache1.save();
+
+    expect(storage.data).toBeDefined();
+
+    const cache2 = createScanCache(storage);
+    const cached = cache2.get('src/app.ts', 'const x = 1;', 1000);
+    expect(cached).toEqual(results);
+  });
+
+  it('no storage = in-memory only', () => {
+    const cache = createScanCache();
+    cache.set('a.ts', 'x', 1000, [{ type: 'pass' as const, checkId: 'test', message: 'ok' }], 'L4');
+    cache.save(); // no-op without storage
+    const cached = cache.get('a.ts', 'x', 1000);
+    expect(cached).toBeDefined();
+  });
+
+  it('expires L5 results after 24h TTL', () => {
+    const cache = createScanCache();
+    const results = [{ type: 'pass' as const, checkId: 'l5-deep', message: 'ok' }];
+    const mtime = Date.now();
+
+    cache.set('src/app.ts', 'const x = 1;', mtime, results, 'L5');
+
+    // L4 results should not expire
+    const l4Results = [{ type: 'pass' as const, checkId: 'l4-test', message: 'ok' }];
+    cache.set('src/other.ts', 'const y = 2;', mtime, l4Results, 'L4');
+    const l4Cached = cache.get('src/other.ts', 'const y = 2;', mtime);
+    expect(l4Cached).toEqual(l4Results);
+  });
+
+  it('tracks stats correctly', () => {
+    const cache = createScanCache();
+    cache.get('a.ts', 'a', 1); // miss
+    cache.get('b.ts', 'b', 1); // miss
+    cache.set('a.ts', 'a', 1, [], 'L4');
+    cache.get('a.ts', 'a', 1); // hit
+    cache.get('c.ts', 'c', 1); // miss
+
+    const stats = cache.stats();
+    expect(stats.hits).toBe(1);
+    expect(stats.misses).toBe(3);
+    expect(stats.entries).toBe(1);
+  });
+});
+
+describe('createFileCacheStorage', () => {
+  let testDir: string;
+
+  it('round-trips through disk', () => {
+    testDir = join(tmpdir(), `scan-cache-test-${Date.now()}`);
+    mkdirSync(testDir, { recursive: true });
+
+    try {
+      const storage = createFileCacheStorage(testDir);
+      const cache1 = createScanCache(storage);
+      const results = [{ type: 'pass' as const, checkId: 'test', message: 'ok' }];
+      cache1.set('a.ts', 'x', 1000, results, 'L4');
+      cache1.save();
+
+      expect(existsSync(join(testDir, '.complior', 'cache', 'scan-cache.json'))).toBe(true);
+
+      const storage2 = createFileCacheStorage(testDir);
+      const cache2 = createScanCache(storage2);
+      expect(cache2.get('a.ts', 'x', 1000)).toEqual(results);
+    } finally {
+      rmSync(testDir, { recursive: true, force: true });
+    }
+  });
+});

package/src/domain/scanner/scan-cache.ts

@@ -0,0 +1,115 @@
+/**
+ * E-11: Incremental scan cache.
+ * Domain-pure cache logic — I/O delegated to CacheStorage port.
+ */
+
+import { createHash } from 'node:crypto';
+import type { CheckResult } from '../../types/common.types.js';
+
+export interface CacheEntry {
+  readonly sha256: string;
+  readonly mtime: number;
+  readonly results: readonly CheckResult[];
+  readonly timestamp: number; // ms since epoch
+  readonly layer: 'L1' | 'L2' | 'L3' | 'L4' | 'L5';
+}
+
+export interface ScanCacheData {
+  readonly version: number;
+  readonly entries: Record<string, CacheEntry>; // key = relativePath
+}
+
+/** Port for cache persistence — keeps domain I/O-free. */
+export interface CacheStorage {
+  readonly load: () => ScanCacheData | undefined;
+  readonly save: (data: ScanCacheData) => void;
+}
+
+const CACHE_VERSION = 1;
+const L5_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
+
+export interface ScanCache {
+  readonly get: (relativePath: string, content: string, mtime: number) => readonly CheckResult[] | undefined;
+  readonly set: (relativePath: string, content: string, mtime: number, results: readonly CheckResult[], layer: CacheEntry['layer']) => void;
+  readonly save: () => void;
+  readonly stats: () => { hits: number; misses: number; entries: number };
+}
+
+const computeHash = (content: string): string =>
+  createHash('sha256').update(content).digest('hex');
+
+export const createScanCache = (storage?: CacheStorage): ScanCache => {
+  const loaded = storage?.load();
+  const initial: ScanCacheData = (loaded && loaded.version === CACHE_VERSION)
+    ? loaded
+    : { version: CACHE_VERSION, entries: {} };
+
+  const entries = new Map<string, CacheEntry>(Object.entries(initial.entries));
+  let hits = 0;
+  let misses = 0;
+
+  const get = (relativePath: string, content: string, mtime: number): readonly CheckResult[] | undefined => {
+    const cached = entries.get(relativePath);
+    if (!cached) {
+      misses++;
+      return undefined;
+    }
+
+    // Fast-check: mtime unchanged → use cache without re-hashing
+    if (cached.mtime === mtime) {
+      if (cached.layer === 'L5') {
+        const age = Date.now() - cached.timestamp;
+        if (age > L5_TTL_MS) {
+          misses++;
+          return undefined;
+        }
+      }
+      hits++;
+      return cached.results;
+    }
+
+    // mtime changed — verify by hash
+    const hash = computeHash(content);
+    if (cached.sha256 === hash) {
+      entries.set(relativePath, { ...cached, mtime });
+      hits++;
+      return cached.results;
+    }
+
+    misses++;
+    return undefined;
+  };
+
+  const set = (
+    relativePath: string,
+    content: string,
+    mtime: number,
+    results: readonly CheckResult[],
+    layer: CacheEntry['layer'],
+  ): void => {
+    entries.set(relativePath, {
+      sha256: computeHash(content),
+      mtime,
+      results,
+      timestamp: Date.now(),
+      layer,
+    });
+  };
+
+  const save = (): void => {
+    storage?.save({
+      version: CACHE_VERSION,
+      entries: Object.fromEntries(entries),
+    });
+  };
+
+  const stats = () => ({
+    hits,
+    misses,
+    entries: entries.size,
+  });
+
+  return Object.freeze({ get, set, save, stats });
+};
+
+// Infra adapter: see infra/cache-storage.ts (createFileCacheStorage)

package/src/domain/scanner/scanner.test.ts

@@ -0,0 +1,125 @@
+import { describe, it, expect } from 'vitest';
+import { createScanner } from './create-scanner.js';
+import { createScanFile, createScanCtx } from '../../test-helpers/factories.js';
+
+describe('createScanner', () => {
+  it('returns a scanner with a scan method', () => {
+    const scanner = createScanner();
+
+    expect(scanner).toBeDefined();
+    expect(typeof scanner.scan).toBe('function');
+  });
+
+  it('scans empty project and returns results', () => {
+    const scanner = createScanner();
+    const ctx = createScanCtx([]);
+
+    const result = scanner.scan(ctx);
+
+    expect(result.projectPath).toBe('/test/project');
+    expect(result.filesScanned).toBe(0);
+    expect(result.findings).toBeDefined();
+    expect(result.scannedAt).toBeDefined();
+    expect(result.duration).toBeGreaterThanOrEqual(0);
+    expect(result.score).toBeDefined();
+  });
+
+  it('produces findings for each check', () => {
+    const scanner = createScanner();
+    const ctx = createScanCtx([
+      createScanFile('src/app.ts', 'function main() {}'),
+    ]);
+
+    const result = scanner.scan(ctx);
+
+    // Each check produces at least 1 finding
+    expect(result.findings.length).toBeGreaterThanOrEqual(7);
+  });
+
+  it('detects compliance issues in a project with AI code but no compliance docs', () => {
+    const scanner = createScanner();
+    const ctx = createScanCtx([
+      createScanFile('src/chat.tsx', `
+        import OpenAI from 'openai';
+        function ChatBot() {
+          return <div>chatbot</div>;
+        }
+      `),
+      createScanFile('package.json', '{"dependencies":{"openai":"^4.0.0"}}'),
+    ]);
+
+    const result = scanner.scan(ctx);
+
+    const failFindings = result.findings.filter((f) => f.type === 'fail');
+    expect(failFindings.length).toBeGreaterThan(0);
+
+    // Should fail for missing disclosure (chatbot without disclosure text)
+    const disclosureFinding = result.findings.find((f) => f.checkId === 'ai-disclosure');
+    expect(disclosureFinding?.type).toBe('fail');
+
+    // Should fail for missing logging
+    const loggingFinding = result.findings.find((f) => f.checkId === 'interaction-logging');
+    expect(loggingFinding?.type).toBe('fail');
+
+    // Should fail for missing documentation
+    const docFinding = result.findings.find((f) => f.checkId === 'documentation');
+    expect(docFinding?.type).toBe('fail');
+  });
+
+  it('passes checks for a well-documented project', () => {
+    const scanner = createScanner();
+    const ctx = createScanCtx([
+      createScanFile('src/Chat.tsx', `
+        <div>
+          <p>This is an AI-powered assistant</p>
+          <ChatWidget />
+        </div>
+      `),
+      createScanFile('src/logger.ts', `
+        import pino from 'pino';
+        const logger = pino();
+        function logInteraction(session_id, input, output) {
+          logger.info({ timestamp: Date.now(), session_id, input, output });
+        }
+      `),
+      createScanFile('COMPLIANCE.md', '# EU AI Act Compliance\nRisk assessment documentation'),
+      createScanFile('AI-LITERACY.md', '# AI Literacy Policy'),
+      createScanFile('.complior/config.json', '{"version":"1.0"}'),
+      createScanFile('.well-known/ai-compliance.json', '{"compliant":true}'),
+    ]);
+
+    const result = scanner.scan(ctx);
+
+    const passFindings = result.findings.filter((f) => f.type === 'pass');
+    expect(passFindings.length).toBeGreaterThanOrEqual(5);
+  });
+
+  it('includes placeholder score breakdown', () => {
+    const scanner = createScanner();
+    const ctx = createScanCtx([]);
+
+    const result = scanner.scan(ctx);
+
+    expect(result.score.totalScore).toBeGreaterThanOrEqual(0);
+    expect(['red', 'yellow']).toContain(result.score.zone);
+    expect(result.score.totalChecks).toBe(result.findings.length);
+  });
+
+  it('counts pass/fail/skip correctly in score', () => {
+    const scanner = createScanner();
+    const ctx = createScanCtx([
+      createScanFile('COMPLIANCE.md', '# Compliance Documentation'),
+    ]);
+
+    const result = scanner.scan(ctx);
+
+    const passes = result.findings.filter((f) => f.type === 'pass').length;
+    const fails = result.findings.filter((f) => f.type === 'fail').length;
+    const skips = result.findings.filter((f) => f.type === 'skip').length;
+
+    expect(result.score.passedChecks).toBe(passes);
+    expect(result.score.failedChecks).toBe(fails);
+    expect(result.score.skippedChecks).toBe(skips);
+    expect(result.score.totalChecks).toBe(passes + fails + skips);
+  });
+});