@delegance/claude-autopilot 1.3.1 → 1.4.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@delegance/claude-autopilot",
-  "version": "1.3.1",
+  "version": "1.4.0",
   "type": "module",
   "description": "Claude Code automation pipeline: spec → plan → implement → validate → PR",
   "keywords": [

package/src/cli/preflight.ts

@@ -87,14 +87,17 @@ export async function runDoctor(): Promise<DoctorResult> {
       : undefined,
   });
 
-  // 6. OPENAI_API_KEY set
+  // 6. LLM API key (ANTHROPIC_API_KEY preferred, OPENAI_API_KEY as fallback)
   const envVars = envFile ? loadEnvFile(envFile) : {};
+  const hasAnthropic = !!process.env.ANTHROPIC_API_KEY || !!envVars['ANTHROPIC_API_KEY'];
   const hasOpenAI = !!process.env.OPENAI_API_KEY || !!envVars['OPENAI_API_KEY'];
+  const hasLLMKey = hasAnthropic || hasOpenAI;
+  const llmKeyName = hasAnthropic ? 'ANTHROPIC_API_KEY' : hasOpenAI ? 'OPENAI_API_KEY' : 'none';
   checks.push({
-    name: 'OPENAI_API_KEY',
-    result: hasOpenAI ? 'pass' : 'warn',
-    message: !hasOpenAI
-      ? `OPENAI_API_KEY not set — Codex review steps will be skipped`
+    name: `LLM API key (${llmKeyName})`,
+    result: hasLLMKey ? 'pass' : 'warn',
+    message: !hasLLMKey
+      ? `No LLM API key found — set ANTHROPIC_API_KEY (recommended) or OPENAI_API_KEY to enable review`
       : undefined,
   });
 

package/src/cli/run.ts

@@ -21,6 +21,7 @@ for (const f of ENV_FILES) {
 }
 
 import { loadConfig } from '../core/config/loader.ts';
+import { loadRulesFromConfig } from '../core/static-rules/registry.ts';
 import { resolvePreset } from '../core/config/preset-resolver.ts';
 import { mergeConfigs } from '../core/config/preset-resolver.ts';
 import { loadAdapter } from '../adapters/loader.ts';
@@ -127,11 +128,17 @@ export async function runCommand(options: RunCommandOptions = {}): Promise<numbe
     }
   }
 
+  // Load static rules from config
+  const staticRules = config.staticRules && config.staticRules.length > 0
+    ? await loadRulesFromConfig(config.staticRules)
+    : [];
+
   // Execute pipeline
   const input: RunInput = {
     touchedFiles,
     config,
     reviewEngine,
+    staticRules,
     cwd,
   };
 

package/src/core/static-rules/registry.ts

@@ -0,0 +1,42 @@
+import type { StaticRule } from '../phases/static-rules.ts';
+import type { StaticRuleReference } from '../config/types.ts';
+
+// Built-in cross-stack rules
+const BUILTIN: Record<string, () => Promise<StaticRule>> = {
+  'hardcoded-secrets': () => import('./rules/hardcoded-secrets.ts').then(m => m.hardcodedSecretsRule),
+  'npm-audit':         () => import('./rules/npm-audit.ts').then(m => m.npmAuditRule),
+  'package-lock-sync': () => import('./rules/package-lock-sync.ts').then(m => m.packageLockSyncRule),
+  'console-log':       () => import('./rules/console-log.ts').then(m => m.consoleLogRule),
+  'todo-fixme':        () => import('./rules/todo-fixme.ts').then(m => m.todoFixmeRule),
+  'large-file':        () => import('./rules/large-file.ts').then(m => m.largeFileRule),
+  'missing-tests':     () => import('./rules/missing-tests.ts').then(m => m.missingTestsRule),
+};
+
+// Preset-specific rules registered by name
+const PRESET: Record<string, () => Promise<StaticRule>> = {
+  'supabase-rls-bypass': () => import('../../../presets/nextjs-supabase/rules/supabase-rls-bypass.ts').then(m => m.supabaseRlsBypassRule),
+  'go-sql-injection':    () => import('../../../presets/go/rules/go-sql-injection.ts').then(m => m.goSqlInjectionRule),
+  'fastapi-missing-auth': () => import('../../../presets/python-fastapi/rules/fastapi-missing-auth.ts').then(m => m.fastapiMissingAuthRule),
+  't3-server-only':      () => import('../../../presets/t3/rules/t3-server-only.ts').then(m => m.t3ServerOnlyRule),
+  'rails-sql-injection': () => import('../../../presets/rails-postgres/rules/rails-sql-injection.ts').then(m => m.railsSqlInjectionRule),
+};
+
+const ALL = { ...BUILTIN, ...PRESET };
+
+export async function loadRulesFromConfig(refs: StaticRuleReference[]): Promise<StaticRule[]> {
+  const rules: StaticRule[] = [];
+  for (const ref of refs) {
+    const name = typeof ref === 'string' ? ref : ref.adapter;
+    const loader = ALL[name];
+    if (loader) {
+      rules.push(await loader());
+    } else {
+      process.stderr.write(`[autopilot] Unknown static rule: "${name}" — skipping\n`);
+    }
+  }
+  return rules;
+}
+
+export function listAvailableRules(): string[] {
+  return Object.keys(ALL);
+}

package/src/core/static-rules/rules/console-log.ts

@@ -0,0 +1,42 @@
+import * as fs from 'node:fs';
+import type { StaticRule } from '../../phases/static-rules.ts';
+import type { Finding } from '../../findings/types.ts';
+
+const CONSOLE_CALLS = /\bconsole\.(log|debug|info)\s*\(/;
+const CODE_EXTS = new Set(['.ts', '.tsx', '.js', '.jsx', '.mts', '.cts', '.mjs', '.cjs']);
+const TEST_PATH = /(?:__tests__|\.test\.|\.spec\.|\/test\/|\/tests\/)/;
+
+export const consoleLogRule: StaticRule = {
+  name: 'console-log',
+  severity: 'warning',
+
+  async check(touchedFiles: string[]): Promise<Finding[]> {
+    const findings: Finding[] = [];
+    for (const file of touchedFiles) {
+      const ext = file.slice(file.lastIndexOf('.'));
+      if (!CODE_EXTS.has(ext) || TEST_PATH.test(file)) continue;
+      let content: string;
+      try { content = fs.readFileSync(file, 'utf8'); } catch { continue; }
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i]!;
+        if (line.trim().startsWith('//')) continue;
+        if (CONSOLE_CALLS.test(line)) {
+          findings.push({
+            id: `console-log:${file}:${i + 1}`,
+            source: 'static-rules',
+            severity: 'warning',
+            category: 'console-log',
+            file,
+            line: i + 1,
+            message: 'console.log/debug/info left in production code',
+            suggestion: 'Remove or replace with a structured logger',
+            protectedPath: false,
+            createdAt: new Date().toISOString(),
+          });
+        }
+      }
+    }
+    return findings;
+  },
+};

package/src/core/static-rules/rules/hardcoded-secrets.ts

@@ -0,0 +1,57 @@
+import * as fs from 'node:fs';
+import type { StaticRule } from '../../phases/static-rules.ts';
+import type { Finding } from '../../findings/types.ts';
+
+const SECRET_PATTERNS: { regex: RegExp; label: string }[] = [
+  { regex: /\bAKIA[0-9A-Z]{16}\b/, label: 'AWS Access Key ID' },
+  { regex: /(?:password|passwd|pwd)\s*[:=]\s*['"][^'"]{6,}['"]/, label: 'Hardcoded password' },
+  { regex: /(?:api_key|apikey|api-key)\s*[:=]\s*['"][^'"]{8,}['"]/, label: 'Hardcoded API key' },
+  { regex: /(?:secret|secret_key|secretkey)\s*[:=]\s*['"][^'"]{8,}['"]/, label: 'Hardcoded secret' },
+  { regex: /(?:access_token|accesstoken)\s*[:=]\s*['"][^'"]{8,}['"]/, label: 'Hardcoded access token' },
+  { regex: /(?:private_key|privatekey)\s*[:=]\s*['"][^'"]{8,}['"]/, label: 'Hardcoded private key' },
+  { regex: /-----BEGIN (?:RSA |EC )?PRIVATE KEY-----/, label: 'Private key block' },
+];
+
+// Patterns that indicate a placeholder, not a real secret
+const PLACEHOLDER = /(?:your[-_]?|xxx|placeholder|example|test|fake|dummy|changeme|<[^>]+>)/i;
+const SKIP_EXTS = new Set(['.md', '.txt', '.yaml', '.yml', '.json', '.lock', '.snap']);
+const TEST_PATH = /(?:__tests__|\.test\.|\.spec\.|\/test\/|\/tests\/)/;
+
+export const hardcodedSecretsRule: StaticRule = {
+  name: 'hardcoded-secrets',
+  severity: 'critical',
+
+  async check(touchedFiles: string[]): Promise<Finding[]> {
+    const findings: Finding[] = [];
+    for (const file of touchedFiles) {
+      const ext = file.slice(file.lastIndexOf('.'));
+      if (SKIP_EXTS.has(ext) || TEST_PATH.test(file)) continue;
+      let content: string;
+      try { content = fs.readFileSync(file, 'utf8'); } catch { continue; }
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i]!;
+        if (line.trim().startsWith('//') || line.trim().startsWith('#')) continue;
+        for (const { regex, label } of SECRET_PATTERNS) {
+          const match = line.match(regex);
+          if (match && !PLACEHOLDER.test(match[0])) {
+            findings.push({
+              id: `hardcoded-secrets:${file}:${i + 1}`,
+              source: 'static-rules',
+              severity: 'critical',
+              category: 'hardcoded-secrets',
+              file,
+              line: i + 1,
+              message: `${label} appears hardcoded`,
+              suggestion: 'Move to environment variable and load via process.env',
+              protectedPath: false,
+              createdAt: new Date().toISOString(),
+            });
+            break;
+          }
+        }
+      }
+    }
+    return findings;
+  },
+};

package/src/core/static-rules/rules/large-file.ts

@@ -0,0 +1,37 @@
+import * as fs from 'node:fs';
+import type { StaticRule } from '../../phases/static-rules.ts';
+import type { Finding } from '../../findings/types.ts';
+
+const DEFAULT_THRESHOLD = 500;
+const SKIP_EXTS = new Set(['.lock', '.snap', '.map', '.min.js', '.min.css']);
+
+export const largeFileRule: StaticRule = {
+  name: 'large-file',
+  severity: 'note',
+
+  async check(touchedFiles: string[]): Promise<Finding[]> {
+    const threshold = parseInt(process.env.AUTOPILOT_LARGE_FILE_LINES ?? '', 10) || DEFAULT_THRESHOLD;
+    const findings: Finding[] = [];
+    for (const file of touchedFiles) {
+      const ext = file.slice(file.lastIndexOf('.'));
+      if (SKIP_EXTS.has(ext)) continue;
+      let content: string;
+      try { content = fs.readFileSync(file, 'utf8'); } catch { continue; }
+      const lines = content.split('\n').length;
+      if (lines > threshold) {
+        findings.push({
+          id: `large-file:${file}`,
+          source: 'static-rules',
+          severity: 'note',
+          category: 'large-file',
+          file,
+          message: `File is ${lines} lines (threshold: ${threshold})`,
+          suggestion: 'Consider splitting into smaller, focused modules',
+          protectedPath: false,
+          createdAt: new Date().toISOString(),
+        });
+      }
+    }
+    return findings;
+  },
+};

package/src/core/static-rules/rules/missing-tests.ts

@@ -0,0 +1,57 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import type { StaticRule } from '../../phases/static-rules.ts';
+import type { Finding } from '../../findings/types.ts';
+
+const SOURCE_DIRS = ['src/', 'app/', 'lib/', 'utils/'];
+const SOURCE_EXTS = new Set(['.ts', '.tsx', '.js', '.jsx']);
+const TEST_PATH = /(?:__tests__|\.test\.|\.spec\.|\/test\/|\/tests\/)/;
+const INDEX_FILE = /(?:^|[/\\])index\.[tj]sx?$/;
+
+function isSourceFile(f: string): boolean {
+  const ext = f.slice(f.lastIndexOf('.'));
+  return SOURCE_EXTS.has(ext) && !TEST_PATH.test(f) && SOURCE_DIRS.some(d => f.startsWith(d));
+}
+
+function hasTestCounterpart(file: string, touchedFiles: Set<string>): boolean {
+  const base = file.replace(/\.[tj]sx?$/, '');
+  const candidates = [
+    `${base}.test.ts`, `${base}.test.tsx`, `${base}.test.js`,
+    `${base}.spec.ts`, `${base}.spec.tsx`, `${base}.spec.js`,
+  ];
+  const dir = path.dirname(file);
+  const name = path.basename(base);
+  candidates.push(
+    `${dir}/__tests__/${name}.test.ts`,
+    `${dir}/__tests__/${name}.test.tsx`,
+    `${dir}/__tests__/${name}.test.js`,
+  );
+  return candidates.some(c => touchedFiles.has(c) || fs.existsSync(c));
+}
+
+export const missingTestsRule: StaticRule = {
+  name: 'missing-tests',
+  severity: 'note',
+
+  async check(touchedFiles: string[]): Promise<Finding[]> {
+    const touched = new Set(touchedFiles);
+    const findings: Finding[] = [];
+    for (const file of touchedFiles) {
+      if (!isSourceFile(file) || INDEX_FILE.test(file)) continue;
+      if (!hasTestCounterpart(file, touched)) {
+        findings.push({
+          id: `missing-tests:${file}`,
+          source: 'static-rules',
+          severity: 'note',
+          category: 'missing-tests',
+          file,
+          message: 'No test file found for this changed source file',
+          suggestion: `Add tests at ${file.replace(/\.[tj]sx?$/, '.test.ts')}`,
+          protectedPath: false,
+          createdAt: new Date().toISOString(),
+        });
+      }
+    }
+    return findings;
+  },
+};

package/src/core/static-rules/rules/npm-audit.ts

@@ -0,0 +1,38 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { runSafe } from '../../shell.ts';
+import type { StaticRule } from '../../phases/static-rules.ts';
+import type { Finding } from '../../findings/types.ts';
+
+export const npmAuditRule: StaticRule = {
+  name: 'npm-audit',
+  severity: 'critical',
+
+  async check(touchedFiles: string[]): Promise<Finding[]> {
+    const cwd = process.cwd();
+    if (!fs.existsSync(path.join(cwd, 'package.json'))) return [];
+
+    const out = runSafe('npm', ['audit', '--json'], { cwd });
+    if (!out) return [];
+
+    let report: { vulnerabilities?: Record<string, { severity: string; name: string; via: unknown[] }> };
+    try { report = JSON.parse(out); } catch { return []; }
+
+    const findings: Finding[] = [];
+    for (const [, vuln] of Object.entries(report.vulnerabilities ?? {})) {
+      if (vuln.severity !== 'critical' && vuln.severity !== 'high') continue;
+      findings.push({
+        id: `npm-audit:${vuln.name}`,
+        source: 'static-rules',
+        severity: vuln.severity === 'critical' ? 'critical' : 'warning',
+        category: 'npm-audit',
+        file: 'package.json',
+        message: `${vuln.severity.toUpperCase()} vulnerability in ${vuln.name}`,
+        suggestion: `Run: npm audit fix`,
+        protectedPath: false,
+        createdAt: new Date().toISOString(),
+      });
+    }
+    return findings;
+  },
+};

package/src/core/static-rules/rules/package-lock-sync.ts

@@ -0,0 +1,54 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import type { StaticRule } from '../../phases/static-rules.ts';
+import type { Finding } from '../../findings/types.ts';
+
+export const packageLockSyncRule: StaticRule = {
+  name: 'package-lock-sync',
+  severity: 'warning',
+
+  async check(touchedFiles: string[]): Promise<Finding[]> {
+    const cwd = process.cwd();
+    const hasPkg = touchedFiles.some(f => f === 'package.json');
+    const hasLock = touchedFiles.some(f => f === 'package-lock.json');
+
+    if (!hasPkg && !hasLock) return [];
+
+    const pkgExists = fs.existsSync(path.join(cwd, 'package.json'));
+    const lockExists = fs.existsSync(path.join(cwd, 'package-lock.json'));
+
+    if (!pkgExists) return [];
+
+    // package.json changed but lock didn't
+    if (hasPkg && !hasLock && lockExists) {
+      return [{
+        id: 'package-lock-sync:package.json',
+        source: 'static-rules',
+        severity: 'warning',
+        category: 'package-lock-sync',
+        file: 'package.json',
+        message: 'package.json changed but package-lock.json was not updated',
+        suggestion: 'Run npm install to sync the lockfile',
+        protectedPath: false,
+        createdAt: new Date().toISOString(),
+      }];
+    }
+
+    // lock changed but package.json didn't (unusual, flag it)
+    if (hasLock && !hasPkg) {
+      return [{
+        id: 'package-lock-sync:package-lock.json',
+        source: 'static-rules',
+        severity: 'warning',
+        category: 'package-lock-sync',
+        file: 'package-lock.json',
+        message: 'package-lock.json changed without a corresponding package.json change',
+        suggestion: 'Verify this is intentional — lockfile-only changes can indicate manual edits',
+        protectedPath: false,
+        createdAt: new Date().toISOString(),
+      }];
+    }
+
+    return [];
+  },
+};

package/src/core/static-rules/rules/todo-fixme.ts

@@ -0,0 +1,40 @@
+import * as fs from 'node:fs';
+import type { StaticRule } from '../../phases/static-rules.ts';
+import type { Finding } from '../../findings/types.ts';
+
+const TODO_PATTERN = /\b(TODO|FIXME|HACK|XXX)\b/;
+const SKIP_EXTS = new Set(['.lock', '.snap', '.png', '.jpg', '.svg', '.ico']);
+
+export const todoFixmeRule: StaticRule = {
+  name: 'todo-fixme',
+  severity: 'note',
+
+  async check(touchedFiles: string[]): Promise<Finding[]> {
+    const findings: Finding[] = [];
+    for (const file of touchedFiles) {
+      const ext = file.slice(file.lastIndexOf('.'));
+      if (SKIP_EXTS.has(ext)) continue;
+      let content: string;
+      try { content = fs.readFileSync(file, 'utf8'); } catch { continue; }
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        const match = lines[i]!.match(TODO_PATTERN);
+        if (match) {
+          findings.push({
+            id: `todo-fixme:${file}:${i + 1}`,
+            source: 'static-rules',
+            severity: 'note',
+            category: 'todo-fixme',
+            file,
+            line: i + 1,
+            message: `${match[1]} comment in changed file`,
+            suggestion: 'Resolve before merging or track in an issue',
+            protectedPath: false,
+            createdAt: new Date().toISOString(),
+          });
+        }
+      }
+    }
+    return findings;
+  },
+};