@continum/cli 0.1.0

package/src/commands/scan.ts

@@ -0,0 +1,257 @@
+import chalk from 'chalk';
+import prompts from 'prompts';
+import * as fs from 'fs';
+import * as path from 'path';
+import { LocalScanner } from '../scanner/local-scan';
+import { loadConfig, loadCredentials } from '../config/loader';
+import { getStagedFiles, getStagedDiff } from '../git/git-utils';
+import { ContinumApiClient } from '../api/client';
+import { PatternUpdater } from '../scanner/pattern-updater';
+import { UnknownPattern, RiskLevel } from '../types';
+
+interface ScanOptions {
+  staged?: boolean;
+  hook?: boolean;
+  strict?: boolean;
+  autoApprove?: boolean;
+  warnOnly?: boolean;
+  files?: string[];
+}
+
+export async function scanCommand(options: ScanOptions): Promise<void> {
+  const config = loadConfig();
+  const credentials = loadCredentials();
+
+  // Update patterns if we have credentials
+  let customPatterns: any[] = [];
+  if (credentials.apiUrl && credentials.apiKey) {
+    try {
+      const client = new ContinumApiClient(credentials.apiUrl, credentials.apiKey);
+      const updater = new PatternUpdater(client);
+      await updater.updatePatterns();
+      customPatterns = updater.loadPatterns();
+    } catch (error) {
+      // Continue with built-in patterns only
+    }
+  }
+
+  // Determine which files to scan
+  let filesToScan: string[] = [];
+  
+  if (options.staged) {
+    filesToScan = getStagedFiles();
+  } else if (options.files && options.files.length > 0) {
+    filesToScan = options.files;
+  } else {
+    console.log(chalk.red('✗ No files specified'));
+    console.log(chalk.gray('  Use --staged to scan staged files, or provide file paths'));
+    process.exit(1);
+  }
+
+  if (filesToScan.length === 0) {
+    console.log(chalk.yellow('⚠️  No files to scan'));
+    process.exit(0);
+  }
+
+  // Run scan
+  if (!options.hook) {
+    console.log(chalk.blue(`\nContinum — scanning ${filesToScan.length} file(s)...\n`));
+  }
+
+  const scanner = new LocalScanner(config, customPatterns);
+  const result = await scanner.scanFiles(filesToScan);
+
+  // Handle violations
+  if (result.violations.length > 0) {
+    console.log(chalk.red.bold('❌  BLOCKED\n'));
+
+    for (const violation of result.violations) {
+      const shouldBlock = config.block.includes(violation.severity);
+      const shouldWarn = config.warn.includes(violation.severity);
+
+      if (shouldBlock || shouldWarn) {
+        console.log(chalk.gray(`${violation.file} (line ${violation.line})`));
+        console.log(chalk.gray('─'.repeat(50)));
+        console.log(`Type:     ${violation.type}`);
+        console.log(`Found:    ${scanner.redactValue(violation.value)}`);
+        console.log(`Severity: ${getSeverityColor(violation.severity)(violation.severity)}`);
+        if (violation.message) {
+          console.log(`Message:  ${violation.message}`);
+        }
+        console.log();
+      }
+    }
+
+    const blockedCount = result.violations.filter(v => 
+      config.block.includes(v.severity)
+    ).length;
+
+    if (blockedCount > 0 && !options.warnOnly) {
+      console.log(chalk.red('Fix these before committing.'));
+      console.log(chalk.gray('Override (not recommended): git commit --no-verify\n'));
+      process.exit(1);
+    }
+  }
+
+  // Handle unknown patterns
+  if (result.unknownPatterns.length > 0 && !options.autoApprove) {
+    for (const pattern of result.unknownPatterns) {
+      await handleUnknownPattern(pattern, scanner, credentials, options);
+    }
+  } else if (result.unknownPatterns.length > 0 && options.autoApprove) {
+    // Auto-approve all patterns
+    for (const pattern of result.unknownPatterns) {
+      await approvePattern(pattern, scanner, credentials, 'HIGH');
+    }
+  }
+
+  // Send background audit if we have credentials
+  if (credentials.apiUrl && credentials.apiKey && options.staged) {
+    try {
+      const client = new ContinumApiClient(credentials.apiUrl, credentials.apiKey);
+      const diff = getStagedDiff();
+      await client.sendSandboxAudit(diff, config.sandbox);
+    } catch (error) {
+      // Silent fail for background audit
+    }
+  }
+
+  // Success
+  if (result.clean) {
+    if (!options.hook) {
+      console.log(chalk.green('✓ Clean\n'));
+    }
+    process.exit(0);
+  }
+}
+
+async function handleUnknownPattern(
+  pattern: UnknownPattern,
+  scanner: LocalScanner,
+  credentials: { apiUrl?: string; apiKey?: string },
+  options: ScanOptions
+): Promise<void> {
+  console.log(chalk.yellow('\n⚠️  POSSIBLE CREDENTIAL DETECTED\n'));
+  console.log(chalk.gray(`${pattern.context.file} (line ${pattern.context.line})`));
+  console.log(chalk.gray('─'.repeat(50)));
+  console.log(`Type:    UNKNOWN_PATTERN (${pattern.confidence} confidence)`);
+  console.log(`Found:   ${scanner.redactValue(pattern.value)}`);
+  console.log(`Pattern: ${pattern.suggestedPattern}`);
+  console.log('\nThis looks like a credential, but it\'s not in our pattern library.\n');
+
+  if (options.strict) {
+    console.log(chalk.red('Commit blocked (strict mode)'));
+    process.exit(1);
+  }
+
+  const { action } = await prompts({
+    type: 'select',
+    name: 'action',
+    message: 'What would you like to do?',
+    choices: [
+      { title: 'Block this commit', value: 'block' },
+      { title: 'Approve pattern and block (will catch in future)', value: 'approve' },
+      { title: 'Ignore this pattern', value: 'ignore' },
+      { title: 'Continue anyway (not recommended)', value: 'continue' }
+    ]
+  });
+
+  switch (action) {
+    case 'approve':
+      await approvePattern(pattern, scanner, credentials);
+      console.log(chalk.green('✓ Pattern saved to your library'));
+      console.log(chalk.green('✓ This pattern will now be caught locally on future commits\n'));
+      process.exit(1);
+
+    case 'block':
+      process.exit(1);
+
+    case 'ignore':
+      console.log(chalk.gray('Pattern ignored\n'));
+      break;
+
+    case 'continue':
+      console.log(chalk.yellow('⚠️  Continuing without blocking\n'));
+      break;
+  }
+}
+
+async function approvePattern(
+  pattern: UnknownPattern,
+  scanner: LocalScanner,
+  credentials: { apiUrl?: string; apiKey?: string },
+  defaultSeverity?: RiskLevel
+): Promise<void> {
+  if (!credentials.apiUrl || !credentials.apiKey) {
+    console.log(chalk.red('✗ No API credentials configured'));
+    console.log(chalk.gray('  Run `continum init` to set up credentials'));
+    return;
+  }
+
+  let description = `Custom pattern for ${pattern.context.variableName || 'credential'}`;
+  let severity: RiskLevel = defaultSeverity || 'HIGH';
+
+  if (!defaultSeverity) {
+    const response = await prompts([
+      {
+        type: 'text',
+        name: 'description',
+        message: 'Pattern description:',
+        initial: description
+      },
+      {
+        type: 'select',
+        name: 'severity',
+        message: 'Severity level:',
+        choices: [
+          { title: 'Critical', value: 'CRITICAL' },
+          { title: 'High', value: 'HIGH' },
+          { title: 'Medium', value: 'MEDIUM' }
+        ],
+        initial: 1
+      }
+    ]);
+
+    if (response.description) description = response.description;
+    if (response.severity) severity = response.severity;
+  }
+
+  try {
+    const client = new ContinumApiClient(credentials.apiUrl, credentials.apiKey);
+    await client.approvePattern({
+      pattern: pattern.suggestedPattern,
+      patternType: 'CUSTOM',
+      description,
+      severity,
+      exampleValue: scanner.redactValue(pattern.value),
+      confidence: pattern.confidence,
+      context: {
+        file: pattern.context.file,
+        line: pattern.context.line,
+        variableName: pattern.context.variableName
+      }
+    });
+
+    // Update local cache
+    const updater = new PatternUpdater(client);
+    await updater.updatePatterns(true);
+  } catch (error) {
+    console.log(chalk.red('✗ Failed to save pattern'));
+    console.log(chalk.gray(`  ${error instanceof Error ? error.message : 'Unknown error'}`));
+  }
+}
+
+function getSeverityColor(severity: RiskLevel) {
+  switch (severity) {
+    case 'CRITICAL':
+      return chalk.red.bold;
+    case 'HIGH':
+      return chalk.red;
+    case 'MEDIUM':
+      return chalk.yellow;
+    case 'LOW':
+      return chalk.gray;
+    default:
+      return chalk.white;
+  }
+}

package/src/commands/status.ts

@@ -0,0 +1,57 @@
+import chalk from 'chalk';
+import { loadConfig, loadCredentials } from '../config/loader';
+import { ContinumApiClient } from '../api/client';
+import { hasPreCommitHook, isGitRepository } from '../git/git-utils';
+
+export async function statusCommand(): Promise<void> {
+  console.log(chalk.blue.bold('\n🛡️  Continum Status\n'));
+
+  // Check git repository
+  if (!isGitRepository()) {
+    console.log(chalk.red('✗ Not in a git repository'));
+    return;
+  }
+  console.log(chalk.green('✓ Git repository detected'));
+
+  // Check config file
+  const config = loadConfig();
+  if (config) {
+    console.log(chalk.green('✓ Configuration file found'));
+    console.log(chalk.gray(`  Sandbox: ${config.sandbox}`));
+    console.log(chalk.gray(`  Block: ${config.block.join(', ')}`));
+    console.log(chalk.gray(`  Warn: ${config.warn.join(', ')}`));
+  } else {
+    console.log(chalk.yellow('⚠️  No configuration file'));
+    console.log(chalk.gray('  Run `continum init` to create one'));
+  }
+
+  // Check pre-commit hook
+  if (hasPreCommitHook()) {
+    console.log(chalk.green('✓ Pre-commit hook installed'));
+  } else {
+    console.log(chalk.yellow('⚠️  Pre-commit hook not installed'));
+    console.log(chalk.gray('  Run `continum init` to install'));
+  }
+
+  // Check API connection
+  const credentials = loadCredentials();
+  if (credentials.apiUrl && credentials.apiKey) {
+    console.log(chalk.gray('\nTesting API connection...'));
+    
+    try {
+      const client = new ContinumApiClient(credentials.apiUrl, credentials.apiKey);
+      const status = await client.testConnection();
+      console.log(chalk.green(`✓ Connected to Continum API`));
+      console.log(chalk.gray(`  Customer: ${status.customer}`));
+      console.log(chalk.gray(`  Endpoint: ${credentials.apiUrl}`));
+    } catch (error) {
+      console.log(chalk.red('✗ Failed to connect to API'));
+      console.log(chalk.gray(`  ${error instanceof Error ? error.message : 'Unknown error'}`));
+    }
+  } else {
+    console.log(chalk.yellow('\n⚠️  No API credentials configured'));
+    console.log(chalk.gray('  Run `continum init` to set up'));
+  }
+
+  console.log();
+}

package/src/commands/uninstall.ts

@@ -0,0 +1,55 @@
+import chalk from 'chalk';
+import prompts from 'prompts';
+import * as fs from 'fs';
+import * as path from 'path';
+import { uninstallPreCommitHook, isGitRepository, getGitRoot } from '../git/git-utils';
+
+export async function uninstallCommand(): Promise<void> {
+  console.log(chalk.blue.bold('\n🛡️  Uninstall Continum\n'));
+
+  if (!isGitRepository()) {
+    console.log(chalk.red('✗ Not in a git repository'));
+    process.exit(1);
+  }
+
+  const { confirm } = await prompts({
+    type: 'confirm',
+    name: 'confirm',
+    message: 'Remove Continum pre-commit hook from this repository?',
+    initial: false
+  });
+
+  if (!confirm) {
+    console.log(chalk.gray('Cancelled'));
+    process.exit(0);
+  }
+
+  try {
+    uninstallPreCommitHook();
+    console.log(chalk.green('✓ Pre-commit hook removed'));
+  } catch (error) {
+    console.log(chalk.red('✗ Failed to remove hook'));
+    console.log(chalk.gray(`  ${error instanceof Error ? error.message : 'Unknown error'}`));
+    process.exit(1);
+  }
+
+  // Ask about config file
+  const gitRoot = getGitRoot();
+  const configPath = path.join(gitRoot, '.continum.json');
+  
+  if (fs.existsSync(configPath)) {
+    const { removeConfig } = await prompts({
+      type: 'confirm',
+      name: 'removeConfig',
+      message: 'Also remove .continum.json config file?',
+      initial: false
+    });
+
+    if (removeConfig) {
+      fs.unlinkSync(configPath);
+      console.log(chalk.green('✓ Config file removed'));
+    }
+  }
+
+  console.log(chalk.blue('\n✓ Continum uninstalled\n'));
+}

package/src/config/default-config.ts

@@ -0,0 +1,23 @@
+import { ContinumConfig } from '../types';
+
+export const DEFAULT_CONFIG: ContinumConfig = {
+  scanOnCommit: true,
+  sandbox: 'default',
+  block: ['CRITICAL', 'HIGH'],
+  warn: ['MEDIUM'],
+  ignore: [
+    '.env.example',
+    '**/*.test.ts',
+    '**/*.test.js',
+    '**/*.spec.ts',
+    '**/*.spec.js',
+    '**/fixtures/**',
+    '**/mocks/**',
+    '**/test/**',
+    '**/tests/**',
+    '**/__tests__/**'
+  ],
+  patterns: {
+    custom: []
+  }
+};

package/src/config/loader.ts

@@ -0,0 +1,67 @@
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+import { ContinumConfig } from '../types';
+import { DEFAULT_CONFIG } from './default-config';
+
+const CONFIG_FILE = '.continum.json';
+const CACHE_DIR = path.join(os.homedir(), '.continum');
+const CACHE_FILE = path.join(CACHE_DIR, 'patterns.json');
+const CREDENTIALS_FILE = path.join(CACHE_DIR, 'credentials.json');
+
+export function loadConfig(cwd: string = process.cwd()): ContinumConfig {
+  const configPath = path.join(cwd, CONFIG_FILE);
+  
+  if (!fs.existsSync(configPath)) {
+    return DEFAULT_CONFIG;
+  }
+
+  try {
+    const configContent = fs.readFileSync(configPath, 'utf-8');
+    const config = JSON.parse(configContent);
+    return { ...DEFAULT_CONFIG, ...config };
+  } catch (error) {
+    console.error('Error loading config file, using defaults');
+    return DEFAULT_CONFIG;
+  }
+}
+
+export function saveConfig(config: ContinumConfig, cwd: string = process.cwd()): void {
+  const configPath = path.join(cwd, CONFIG_FILE);
+  fs.writeFileSync(configPath, JSON.stringify(config, null, 2));
+}
+
+export function loadCredentials(): { apiUrl?: string; apiKey?: string } {
+  if (!fs.existsSync(CREDENTIALS_FILE)) {
+    return {};
+  }
+
+  try {
+    const content = fs.readFileSync(CREDENTIALS_FILE, 'utf-8');
+    return JSON.parse(content);
+  } catch (error) {
+    return {};
+  }
+}
+
+export function saveCredentials(apiUrl: string, apiKey: string): void {
+  if (!fs.existsSync(CACHE_DIR)) {
+    fs.mkdirSync(CACHE_DIR, { recursive: true });
+  }
+
+  fs.writeFileSync(
+    CREDENTIALS_FILE,
+    JSON.stringify({ apiUrl, apiKey }, null, 2)
+  );
+}
+
+export function getCacheDir(): string {
+  if (!fs.existsSync(CACHE_DIR)) {
+    fs.mkdirSync(CACHE_DIR, { recursive: true });
+  }
+  return CACHE_DIR;
+}
+
+export function getCacheFile(): string {
+  return CACHE_FILE;
+}

package/src/git/git-utils.ts

@@ -0,0 +1,95 @@
+import { execSync } from 'child_process';
+import * as fs from 'fs';
+import * as path from 'path';
+
+export function getStagedFiles(): string[] {
+  try {
+    const output = execSync('git diff --cached --name-only --diff-filter=ACM', {
+      encoding: 'utf-8'
+    });
+    
+    return output
+      .split('\n')
+      .filter(file => file.trim() !== '')
+      .map(file => file.trim());
+  } catch (error) {
+    throw new Error('Failed to get staged files. Are you in a git repository?');
+  }
+}
+
+export function getStagedDiff(): string {
+  try {
+    return execSync('git diff --cached', { encoding: 'utf-8' });
+  } catch (error) {
+    throw new Error('Failed to get staged diff');
+  }
+}
+
+export function isGitRepository(): boolean {
+  try {
+    execSync('git rev-parse --git-dir', { stdio: 'ignore' });
+    return true;
+  } catch (error) {
+    return false;
+  }
+}
+
+export function getGitRoot(): string {
+  try {
+    const output = execSync('git rev-parse --show-toplevel', {
+      encoding: 'utf-8'
+    });
+    return output.trim();
+  } catch (error) {
+    throw new Error('Not in a git repository');
+  }
+}
+
+export function installPreCommitHook(): void {
+  const gitRoot = getGitRoot();
+  const hookPath = path.join(gitRoot, '.git', 'hooks', 'pre-commit');
+  
+  const hookContent = `#!/bin/sh
+# Continum pre-commit hook
+# This hook runs the Continum CLI scanner before each commit
+
+npx @continum/cli scan --staged --hook
+
+# Exit with the same code as the scanner
+exit $?
+`;
+
+  fs.writeFileSync(hookPath, hookContent, { mode: 0o755 });
+}
+
+export function uninstallPreCommitHook(): void {
+  const gitRoot = getGitRoot();
+  const hookPath = path.join(gitRoot, '.git', 'hooks', 'pre-commit');
+  
+  if (fs.existsSync(hookPath)) {
+    const content = fs.readFileSync(hookPath, 'utf-8');
+    
+    // Only remove if it's our hook
+    if (content.includes('Continum pre-commit hook')) {
+      fs.unlinkSync(hookPath);
+    } else {
+      throw new Error('Pre-commit hook exists but is not a Continum hook. Remove manually.');
+    }
+  }
+}
+
+export function hasPreCommitHook(): boolean {
+  try {
+    const gitRoot = getGitRoot();
+    const hookPath = path.join(gitRoot, '.git', 'hooks', 'pre-commit');
+    
+    if (!fs.existsSync(hookPath)) {
+      return false;
+    }
+    
+    const content = fs.readFileSync(hookPath, 'utf-8');
+    return content.includes('Continum pre-commit hook');
+  } catch (error) {
+    return false;
+  }
+}

package/src/index.ts

@@ -0,0 +1,72 @@
+#!/usr/bin/env node
+
+import { Command } from 'commander';
+import { loginCommand } from './commands/login';
+import { initCommand } from './commands/init';
+import { scanCommand } from './commands/scan';
+import { patternsUpdateCommand, patternsListCommand } from './commands/patterns';
+import { statusCommand } from './commands/status';
+import { uninstallCommand } from './commands/uninstall';
+
+const program = new Command();
+
+program
+  .name('continum')
+  .description('Continum CLI - Pre-commit credential scanner and pattern learning tool')
+  .version('0.1.0');
+
+// Login command
+program
+  .command('login')
+  .description('Authenticate with Continum (opens browser)')
+  .action(loginCommand);
+
+// Init command
+program
+  .command('init')
+  .description('Initialize Continum in a project (creates config, installs git hook)')
+  .option('--silent', 'Run without prompts (for postinstall scripts)')
+  .action(initCommand);
+
+// Scan command
+program
+  .command('scan')
+  .description('Scan files for credentials and sensitive data')
+  .option('--staged', 'Scan staged files (for pre-commit hook)')
+  .option('--hook', 'Running from git hook (minimal output)')
+  .option('--strict', 'Block on unknown patterns without prompting')
+  .option('--auto-approve', 'Automatically approve unknown patterns')
+  .option('--warn-only', 'Show warnings but don\'t block commits')
+  .argument('[files...]', 'Files to scan')
+  .action((files: string[], options: any) => {
+    scanCommand({ ...options, files });
+  });
+
+// Patterns commands
+const patterns = program
+  .command('patterns')
+  .description('Manage credential patterns');
+
+patterns
+  .command('update')
+  .description('Update patterns from Continum API')
+  .action(patternsUpdateCommand);
+
+patterns
+  .command('list')
+  .description('List all available patterns')
+  .action(patternsListCommand);
+
+// Status command
+program
+  .command('status')
+  .description('Check Continum configuration and connection')
+  .action(statusCommand);
+
+// Uninstall command
+program
+  .command('uninstall')
+  .description('Remove Continum pre-commit hook')
+  .action(uninstallCommand);
+
+program.parse(process.argv);