npm - @dailephd/my-dev-kit-lab - Versions diffs - 0.2.0 - Mend

@dailephd/my-dev-kit-lab 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (250) hide show

package/dist/src/securityValidation/cliAdversarial/tempWorkspace.js ADDED Viewed

@@ -0,0 +1,160 @@
+import { createHash } from "node:crypto";
+import { mkdirSync, mkdtempSync, readdirSync, readFileSync, statSync, writeFileSync, } from "node:fs";
+import { rm } from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+// ---------------------------------------------------------------------------
+// Workspace creation
+// ---------------------------------------------------------------------------
+export function createTempWorkspace(prefix = "adv-cli-") {
+    const root = mkdtempSync(path.join(os.tmpdir(), prefix));
+    const sourceDir = path.join(root, "source");
+    const outputDir = path.join(root, "output");
+    const indexDir = path.join(root, "index");
+    // Create outside dir as a sibling of root (not inside it).
+    const outsideDir = mkdtempSync(path.join(os.tmpdir(), `${prefix}outside-`));
+    mkdirSync(sourceDir, { recursive: true });
+    mkdirSync(outputDir, { recursive: true });
+    mkdirSync(indexDir, { recursive: true });
+    // Populate source dir with sentinel files that must not be modified.
+    writeFileSync(path.join(sourceDir, "index.ts"), "export const x = 1;\n", "utf8");
+    writeFileSync(path.join(sourceDir, "utils.ts"), "export function noop() {}\n", "utf8");
+    writeFileSync(path.join(sourceDir, "package.json"), JSON.stringify({ name: "sentinel-pkg", version: "1.0.0" }, null, 2) + "\n", "utf8");
+    // Place a sentinel file in outsideDir to verify it is not touched.
+    writeFileSync(path.join(outsideDir, "outside-sentinel.txt"), "must-not-be-modified\n", "utf8");
+    return {
+        root,
+        sourceDir,
+        outputDir,
+        indexDir,
+        outsideDir,
+        cleanup: async () => {
+            await Promise.all([
+                rm(root, { recursive: true, force: true }),
+                rm(outsideDir, { recursive: true, force: true }),
+            ]);
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// File snapshotting
+// ---------------------------------------------------------------------------
+function hashFile(filePath) {
+    try {
+        const content = readFileSync(filePath);
+        return createHash("sha256").update(content).digest("hex");
+    }
+    catch {
+        return "<unreadable>";
+    }
+}
+export function snapshotDir(dir) {
+    const snapshots = [];
+    collectSnapshots(dir, dir, snapshots);
+    return snapshots.sort((a, b) => a.relativePath.localeCompare(b.relativePath));
+}
+function collectSnapshots(baseDir, currentDir, out) {
+    let entries;
+    try {
+        entries = readdirSync(currentDir);
+    }
+    catch {
+        return;
+    }
+    for (const entry of entries) {
+        const abs = path.join(currentDir, entry);
+        let stat;
+        try {
+            stat = statSync(abs);
+        }
+        catch {
+            continue;
+        }
+        if (stat.isDirectory()) {
+            collectSnapshots(baseDir, abs, out);
+        }
+        else if (stat.isFile()) {
+            out.push({
+                relativePath: path.relative(baseDir, abs),
+                absolutePath: abs,
+                contentHash: hashFile(abs),
+            });
+        }
+    }
+}
+export function diffSnapshots(before, after) {
+    const beforeMap = new Map(before.map((s) => [s.relativePath, s.contentHash]));
+    const afterMap = new Map(after.map((s) => [s.relativePath, s.contentHash]));
+    const added = [];
+    const removed = [];
+    const modified = [];
+    for (const [rel, hash] of afterMap) {
+        if (!beforeMap.has(rel)) {
+            added.push(rel);
+        }
+        else if (beforeMap.get(rel) !== hash) {
+            modified.push(rel);
+        }
+    }
+    for (const rel of beforeMap.keys()) {
+        if (!afterMap.has(rel)) {
+            removed.push(rel);
+        }
+    }
+    return { added, removed, modified };
+}
+// ---------------------------------------------------------------------------
+// Write-escape detection
+// ---------------------------------------------------------------------------
+/**
+ * Returns any files found in `checkDir` that are NOT underneath any of the
+ * `allowedDirs`. Used to detect writes outside declared output paths.
+ */
+export function findWritesOutside(checkDir, allowedDirs) {
+    const normalizedAllowed = allowedDirs.map((d) => path.resolve(d) + path.sep);
+    const escaped = [];
+    collectEscapedFiles(checkDir, normalizedAllowed, escaped);
+    return escaped;
+}
+function collectEscapedFiles(dir, allowedDirs, out) {
+    let entries;
+    try {
+        entries = readdirSync(dir);
+    }
+    catch {
+        return;
+    }
+    for (const entry of entries) {
+        const abs = path.join(dir, entry);
+        let stat;
+        try {
+            stat = statSync(abs);
+        }
+        catch {
+            continue;
+        }
+        const normalizedAbs = path.resolve(abs);
+        const isAllowed = allowedDirs.some((allowed) => normalizedAbs === allowed.slice(0, -1) ||
+            normalizedAbs.startsWith(allowed));
+        if (!isAllowed) {
+            if (stat.isDirectory()) {
+                collectEscapedFiles(abs, allowedDirs, out);
+            }
+            else {
+                out.push(normalizedAbs);
+            }
+        }
+        else if (stat.isDirectory()) {
+            collectEscapedFiles(abs, allowedDirs, out);
+        }
+    }
+}
+/**
+ * Returns files in `dir` that were not present in the `beforeSnapshot`.
+ * Simple alternative to `findWritesOutside` when checking one directory.
+ */
+export function findNewFiles(dir, beforeSnapshot) {
+    const afterSnapshot = snapshotDir(dir);
+    const diff = diffSnapshots(beforeSnapshot, afterSnapshot);
+    return diff.added.map((rel) => path.join(dir, rel));
+}

package/dist/src/securityValidation/commandRunner.js ADDED Viewed

@@ -0,0 +1,136 @@
+import { spawn } from "node:child_process";
+import { resolveCommand } from "../core/resolveCommand.js";
+// Prefer the unqualified npm command and let the shared resolver locate
+// npm.cmd/.ps1 shims or direct executables per platform.
+export function resolveNpmCommand() {
+    return "npm";
+}
+// Runs a security check command with an argument array (no shell interpolation).
+// npm audit returns exit code 1 on vulnerabilities; that is not treated as a
+// spawn failure here — the caller inspects the output and exit code separately.
+export async function runSecurityCommand(options) {
+    const started = Date.now();
+    const resolved = resolveCommand(options.command, {
+        cwd: options.cwd,
+        env: process.env,
+        allowPowerShellShim: false,
+    });
+    const command = resolved.command;
+    const needsResolvedPathArg = resolved.resolutionKind === "windows-cmd-shim" ||
+        resolved.resolutionKind === "windows-powershell-shim";
+    const args = [
+        ...resolved.argsPrefix,
+        ...(needsResolvedPathArg && resolved.resolvedPath ? [resolved.resolvedPath] : []),
+        ...options.args,
+    ];
+    if (resolved.resolutionKind === "unavailable") {
+        return {
+            command: options.command,
+            args: options.args,
+            cwd: options.cwd,
+            exitCode: null,
+            durationMs: Date.now() - started,
+            stdout: "",
+            stderr: resolved.warnings.join("\n"),
+            timedOut: false,
+            skipped: false,
+        };
+    }
+    return new Promise((resolve) => {
+        let stdout = "";
+        let stderr = "";
+        let timedOut = false;
+        let settled = false;
+        let timeout;
+        let child;
+        try {
+            child = spawn(command, args, {
+                cwd: options.cwd,
+                shell: false,
+                stdio: ["ignore", "pipe", "pipe"],
+            });
+        }
+        catch (spawnErr) {
+            resolve({
+                command,
+                args,
+                cwd: options.cwd,
+                exitCode: null,
+                durationMs: Date.now() - started,
+                stdout: "",
+                stderr: spawnErr instanceof Error ? spawnErr.message : String(spawnErr),
+                timedOut: false,
+                skipped: false,
+            });
+            return;
+        }
+        child.stdout.on("data", (chunk) => {
+            stdout += chunk.toString("utf8");
+        });
+        child.stderr.on("data", (chunk) => {
+            stderr += chunk.toString("utf8");
+        });
+        child.on("error", (error) => {
+            if (settled)
+                return;
+            settled = true;
+            if (timeout)
+                clearTimeout(timeout);
+            resolve({
+                command,
+                args,
+                cwd: options.cwd,
+                exitCode: null,
+                durationMs: Date.now() - started,
+                stdout,
+                stderr: error.message,
+                timedOut,
+                skipped: false,
+            });
+        });
+        if (options.timeoutMs > 0) {
+            timeout = setTimeout(() => {
+                timedOut = true;
+                try {
+                    child.kill("SIGTERM");
+                }
+                catch {
+                    // Process may have already exited.
+                }
+            }, options.timeoutMs);
+        }
+        child.on("close", (exitCode) => {
+            if (settled)
+                return;
+            settled = true;
+            if (timeout)
+                clearTimeout(timeout);
+            resolve({
+                command,
+                args,
+                cwd: options.cwd,
+                exitCode,
+                durationMs: Date.now() - started,
+                stdout,
+                stderr,
+                timedOut,
+                skipped: false,
+            });
+        });
+    });
+}
+// Returns a skipped result when a tool is not available.
+export function skippedResult(options) {
+    return {
+        command: options.command,
+        args: options.args,
+        cwd: options.cwd,
+        exitCode: null,
+        durationMs: 0,
+        stdout: "",
+        stderr: "",
+        timedOut: false,
+        skipped: true,
+        skippedReason: options.reason,
+    };
+}

package/dist/src/securityValidation/config.js ADDED Viewed

@@ -0,0 +1,39 @@
+import path from "path";
+// Patterns that should not appear in the npm tarball.
+// These represent generated lab artifacts, secrets, and machine-specific files
+// that are safe in the repo but must not be published.
+const DEFAULT_FORBIDDEN_PATTERNS = [
+    "lab-output/",
+    ".my-dev-kit/",
+    "reports/security/",
+    "reports/security/raw/",
+    "__pycache__/",
+    "*.pyc",
+    ".env",
+    ".env.",
+    "*.pem",
+    "*.key",
+    "*.p12",
+    "*.tgz",
+    "*.tar",
+    "node_modules/",
+    "coverage/",
+    "tmp/",
+    "temp/",
+    "smoke/",
+    "docs/coding_generation_guideline.md",
+    "docs/DOCUMENTATION_AUDIT_REPORT.txt",
+    "docs/EXPERIMENT_REPORT_MIGRATION_PLAN.md",
+    "docs/FINAL_BATCH_HANDOFF.txt",
+    "docs/FINAL_VERIFICATION_REPORT.txt",
+    "docs/PUBLIC_RELEASE_CHECKLIST.md",
+    "docs/REAL_AGENT_BENCHMARK_CAMPAIGN_REPORT.txt",
+];
+export const DEFAULT_SECURITY_CONFIG = {
+    reportDir: path.join("reports", "security"),
+    rawOutputDir: path.join("reports", "security", "raw"),
+    forbiddenPackagePatterns: DEFAULT_FORBIDDEN_PATTERNS,
+    allowedPackageExceptions: [],
+    commandTimeoutMs: 60_000,
+    requireOsvScanner: false,
+};

package/dist/src/securityValidation/dependencies/parseNpmAudit.js ADDED Viewed

@@ -0,0 +1,115 @@
+const EMPTY_COUNTS = {
+    critical: 0,
+    high: 0,
+    moderate: 0,
+    low: 0,
+    info: 0,
+    total: 0,
+};
+function npmSeverityToInternal(npmSeverity) {
+    switch (npmSeverity.toLowerCase()) {
+        case "critical":
+        case "high":
+            return "blocker";
+        case "moderate":
+            return "major";
+        case "low":
+            return "minor";
+        default:
+            return "informational";
+    }
+}
+// Parse npm audit --json stdout into structured findings.
+// npm audit exits with code 1 when vulnerabilities are found; that is not an
+// error here — the exit code is checked separately by the runner.
+export function parseNpmAudit(stdout, checkId) {
+    if (!stdout.trim()) {
+        return {
+            ok: true,
+            severityCounts: { ...EMPTY_COUNTS },
+            findings: [],
+        };
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(stdout);
+    }
+    catch (err) {
+        return {
+            ok: false,
+            severityCounts: { ...EMPTY_COUNTS },
+            findings: [],
+            parseError: `Failed to parse npm audit JSON: ${err instanceof Error ? err.message : String(err)}`,
+        };
+    }
+    if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+        return {
+            ok: false,
+            severityCounts: { ...EMPTY_COUNTS },
+            findings: [],
+            parseError: "npm audit JSON is not an object",
+        };
+    }
+    const auditData = parsed;
+    const metadata = auditData["metadata"];
+    const vulnerabilities = metadata?.["vulnerabilities"];
+    const counts = {
+        critical: Number(vulnerabilities?.["critical"] ?? 0),
+        high: Number(vulnerabilities?.["high"] ?? 0),
+        moderate: Number(vulnerabilities?.["moderate"] ?? 0),
+        low: Number(vulnerabilities?.["low"] ?? 0),
+        info: Number(vulnerabilities?.["info"] ?? 0),
+        total: Number(vulnerabilities?.["total"] ?? 0),
+    };
+    const findings = [];
+    const vulnsMap = auditData["vulnerabilities"];
+    if (vulnsMap) {
+        for (const [pkgName, vulnData] of Object.entries(vulnsMap)) {
+            const vuln = vulnData;
+            const severity = typeof vuln["severity"] === "string" ? vuln["severity"] : "moderate";
+            const via = vuln["via"];
+            const advisories = Array.isArray(via)
+                ? via.filter((v) => typeof v === "object" && v !== null && "title" in v)
+                : [];
+            if (advisories.length > 0) {
+                for (const advisory of advisories) {
+                    findings.push({
+                        id: `${checkId}-${pkgName}-${String(advisory["source"] ?? advisory["title"] ?? "vuln")}`,
+                        title: `Vulnerability in ${pkgName}: ${String(advisory["title"] ?? "unknown")}`,
+                        severity: npmSeverityToInternal(severity),
+                        category: "dependency-audit",
+                        description: String(advisory["title"] ?? "No description available"),
+                        evidence: `Package: ${pkgName}, Severity: ${severity}, Range: ${String(vuln["range"] ?? "unknown")}`,
+                        affectedFiles: [],
+                        recommendation: `Update ${pkgName} to a fixed version. See: ${String(advisory["url"] ?? "npm audit for details")}`,
+                        releaseImpact: severity === "critical" || severity === "high"
+                            ? "Blocker: must fix before release"
+                            : severity === "moderate"
+                                ? "Major: should fix before release"
+                                : "Minor: can fix in patch release",
+                    });
+                }
+            }
+            else {
+                findings.push({
+                    id: `${checkId}-${pkgName}-${severity}`,
+                    title: `Vulnerability in ${pkgName}`,
+                    severity: npmSeverityToInternal(severity),
+                    category: "dependency-audit",
+                    description: `${pkgName} has a ${severity} severity vulnerability`,
+                    evidence: `Package: ${pkgName}, Severity: ${severity}`,
+                    affectedFiles: [],
+                    recommendation: `Update ${pkgName} to a patched version`,
+                    releaseImpact: severity === "critical" || severity === "high"
+                        ? "Blocker: must fix before release"
+                        : "Minor: review before release",
+                });
+            }
+        }
+    }
+    return {
+        ok: counts.total === 0,
+        severityCounts: counts,
+        findings,
+    };
+}

package/dist/src/securityValidation/dependencies/parseNpmLs.js ADDED Viewed

@@ -0,0 +1,71 @@
+// Parse npm ls --all --json stdout for missing or invalid dependencies.
+// npm ls exits non-zero when there are problems; that is expected and handled here.
+export function parseNpmLs(stdout, checkId) {
+    if (!stdout.trim()) {
+        return { ok: true, missingCount: 0, invalidCount: 0, findings: [] };
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(stdout);
+    }
+    catch (err) {
+        return {
+            ok: false,
+            missingCount: 0,
+            invalidCount: 0,
+            findings: [],
+            parseError: `Failed to parse npm ls JSON: ${err instanceof Error ? err.message : String(err)}`,
+        };
+    }
+    const findings = [];
+    let missingCount = 0;
+    let invalidCount = 0;
+    function walkDeps(node, depth) {
+        if (depth > 20 || typeof node !== "object" || node === null)
+            return;
+        const n = node;
+        if (n["missing"] === true) {
+            missingCount++;
+            const name = typeof n["name"] === "string" ? n["name"] : "unknown";
+            findings.push({
+                id: `${checkId}-missing-${name}-${missingCount}`,
+                title: `Missing dependency: ${name}`,
+                severity: "major",
+                category: "dependency-audit",
+                description: `Dependency '${name}' is declared but not installed`,
+                evidence: `npm ls reported missing: ${name}`,
+                affectedFiles: ["package.json"],
+                recommendation: "Run npm install or npm ci to restore the missing dependency",
+                releaseImpact: "Major: missing dependency may cause build or runtime failures",
+            });
+        }
+        if (n["invalid"] === true) {
+            invalidCount++;
+            const name = typeof n["name"] === "string" ? n["name"] : "unknown";
+            findings.push({
+                id: `${checkId}-invalid-${name}-${invalidCount}`,
+                title: `Invalid dependency: ${name}`,
+                severity: "minor",
+                category: "dependency-audit",
+                description: `Dependency '${name}' version does not satisfy the declared range`,
+                evidence: `npm ls reported invalid: ${name}`,
+                affectedFiles: ["package.json"],
+                recommendation: "Run npm install to resolve version mismatches",
+                releaseImpact: "Minor: version mismatch; review before release",
+            });
+        }
+        const deps = n["dependencies"];
+        if (typeof deps === "object" && deps !== null) {
+            for (const child of Object.values(deps)) {
+                walkDeps(child, depth + 1);
+            }
+        }
+    }
+    walkDeps(parsed, 0);
+    return {
+        ok: missingCount === 0 && invalidCount === 0,
+        missingCount,
+        invalidCount,
+        findings,
+    };
+}

package/dist/src/securityValidation/dependencies/parseNpmOutdated.js ADDED Viewed

@@ -0,0 +1,41 @@
+// Parse npm outdated --json stdout.
+// npm outdated exits 1 when packages are outdated; that is expected.
+export function parseNpmOutdated(stdout, checkId) {
+    if (!stdout.trim()) {
+        return { outdatedCount: 0, findings: [] };
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(stdout);
+    }
+    catch (err) {
+        return {
+            outdatedCount: 0,
+            findings: [],
+            parseError: `Failed to parse npm outdated JSON: ${err instanceof Error ? err.message : String(err)}`,
+        };
+    }
+    if (typeof parsed !== "object" || parsed === null) {
+        return { outdatedCount: 0, findings: [] };
+    }
+    const outdatedMap = parsed;
+    const entries = Object.entries(outdatedMap);
+    const findings = entries.map(([pkgName, info]) => {
+        const pkg = info !== null && typeof info === "object" ? info : {};
+        return {
+            id: `${checkId}-outdated-${pkgName}`,
+            title: `Outdated dependency: ${pkgName}`,
+            severity: "informational",
+            category: "dependency-audit",
+            description: `${pkgName} has a newer version available`,
+            evidence: `Current: ${pkg["current"] ?? "unknown"}, Wanted: ${pkg["wanted"] ?? "unknown"}, Latest: ${pkg["latest"] ?? "unknown"}`,
+            affectedFiles: ["package.json"],
+            recommendation: `Run npm install ${pkgName}@latest to update`,
+            releaseImpact: "Informational: no direct release impact; consider updating before major releases",
+        };
+    });
+    return {
+        outdatedCount: entries.length,
+        findings,
+    };
+}