@farisabujolban/codeanchor 0.1.0

package/dist/git/history.js

@@ -0,0 +1,46 @@
+import { execFileSync } from 'node:child_process';
+export function parseSinceDuration(since) {
+    const m = since.match(/^(\d+)([dmy])$/);
+    if (!m)
+        return since;
+    const n = parseInt(m[1], 10);
+    const unit = { d: 'day', m: 'month', y: 'year' }[m[2]];
+    return `${n} ${unit}${n !== 1 ? 's' : ''} ago`;
+}
+export function getHotFiles(repoRoot, since, minCommits = 3) {
+    const dateStr = parseSinceDuration(since);
+    let raw;
+    try {
+        raw = execFileSync('git', ['log', `--since=${dateStr}`, '--name-only', '--format='], {
+            encoding: 'utf-8',
+            cwd: repoRoot,
+        });
+    }
+    catch {
+        return [];
+    }
+    const counts = new Map();
+    for (const line of raw.split('\n')) {
+        const trimmed = line.trim();
+        if (!trimmed)
+            continue;
+        counts.set(trimmed, (counts.get(trimmed) ?? 0) + 1);
+    }
+    const results = [];
+    for (const [filePath, count] of counts) {
+        if (count >= minCommits) {
+            results.push({ path: filePath, commitCount: count });
+        }
+    }
+    return results.sort((a, b) => b.commitCount - a.commitCount);
+}
+export function getFileCommitCount(repoRoot, filePath, since) {
+    const dateStr = parseSinceDuration(since);
+    try {
+        const out = execFileSync('git', ['log', `--since=${dateStr}`, '--oneline', '--', filePath], { encoding: 'utf-8', cwd: repoRoot });
+        return out.trim().split('\n').filter(Boolean).length;
+    }
+    catch {
+        return 0;
+    }
+}

package/dist/reporter.d.ts

@@ -0,0 +1,3 @@
+import type { ScanResult } from './types.js';
+export declare function printResult(result: ScanResult): void;
+export declare function renderMarkdown(result: ScanResult): string;

package/dist/reporter.js

@@ -0,0 +1,67 @@
+export function printResult(result) {
+    if (result.findings.length === 0) {
+        console.log('No issues found.');
+        return;
+    }
+    for (const f of result.findings) {
+        const loc = f.line != null ? `${f.file}:${f.line}` : f.file;
+        console.log(`\n  ${f.ruleId}  ${f.severity}  ${loc}`);
+        console.log(`  ${f.message}`);
+        if (f.detail)
+            console.log(`  ${f.detail}`);
+        if (f.fix)
+            console.log(`  → ${f.fix}`);
+    }
+    const parts = [];
+    if (result.errorCount > 0) {
+        parts.push(`${result.errorCount} error${result.errorCount !== 1 ? 's' : ''}`);
+    }
+    if (result.warnCount > 0) {
+        parts.push(`${result.warnCount} warning${result.warnCount !== 1 ? 's' : ''}`);
+    }
+    if (parts.length > 0) {
+        console.log(`\n  ${parts.join(', ')}`);
+    }
+    if (result.errorCount > 0) {
+        console.log('\n  Run failed.');
+    }
+}
+export function renderMarkdown(result) {
+    const date = result.timestamp.slice(0, 10);
+    const lines = [
+        `# codeanchor Report`,
+        ``,
+        `**Mode:** ${result.mode} | **Date:** ${date} | **Errors:** ${result.errorCount} | **Warnings:** ${result.warnCount}`,
+        ``,
+    ];
+    const errors = result.findings.filter(f => f.severity === 'error');
+    const warnings = result.findings.filter(f => f.severity === 'warn');
+    if (errors.length > 0) {
+        lines.push(`## Errors`, ``);
+        for (const f of errors)
+            lines.push(...findingToMarkdown(f));
+    }
+    if (warnings.length > 0) {
+        lines.push(`## Warnings`, ``);
+        for (const f of warnings)
+            lines.push(...findingToMarkdown(f));
+    }
+    if (result.findings.length === 0) {
+        lines.push(`No issues found.`);
+    }
+    return lines.join('\n') + '\n';
+}
+function findingToMarkdown(f) {
+    const loc = f.line != null ? `${f.file}:${f.line}` : f.file;
+    const out = [
+        `### ${f.ruleId}`,
+        `**File:** \`${loc}\``,
+        f.message,
+    ];
+    if (f.detail)
+        out.push(f.detail);
+    if (f.fix)
+        out.push(`**Fix:** \`${f.fix}\``);
+    out.push(``, `---`, ``);
+    return out;
+}

package/dist/rules/ca-cd001.d.ts

@@ -0,0 +1,2 @@
+import type { Rule } from '../engine.js';
+export declare const caCd001: Rule;

package/dist/rules/ca-cd001.js

@@ -0,0 +1,84 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { getDriver } from '../util/languages.js';
+import { extractLeadingComments } from '../util/comment-parser.js';
+import { shouldIgnoreComment } from '../util/ignore-rules.js';
+import { getOwnedRegion } from '../util/ownership.js';
+import { loadApprovals, findApproval, isApprovalValid } from '../util/approvals.js';
+import { diffTouchesRange } from '../git/diff.js';
+import { isExcluded } from '../util/exclude.js';
+export const caCd001 = {
+    id: 'CA-CD001',
+    description: 'Code changed but leading comment was not updated.',
+    defaultSeverity: 'error',
+    applicableModes: ['staged'],
+    async run(ctx) {
+        const { stagedDiffs, repoRoot, config } = ctx;
+        if (!stagedDiffs)
+            return [];
+        const ruleCfg = config.rules['CA-CD001'];
+        if (ruleCfg === false)
+            return [];
+        const maxOwnershipDistance = typeof ruleCfg === 'object' && ruleCfg?.maxOwnershipDistance
+            ? ruleCfg.maxOwnershipDistance
+            : 20;
+        const findings = [];
+        const approvalsStore = loadApprovals(repoRoot);
+        for (const fileDiff of stagedDiffs) {
+            if (fileDiff.status === 'deleted')
+                continue;
+            if (fileDiff.status === 'added')
+                continue;
+            const driver = getDriver(fileDiff.path);
+            if (!driver)
+                continue;
+            if (isExcluded(fileDiff.path, config.exclude))
+                continue;
+            const absPath = path.join(repoRoot, fileDiff.path);
+            if (!fs.existsSync(absPath))
+                continue;
+            let content;
+            try {
+                content = fs.readFileSync(absPath, 'utf-8');
+            }
+            catch {
+                continue;
+            }
+            const lines = content.split('\n');
+            const comments = extractLeadingComments(content, driver);
+            for (const comment of comments) {
+                if (shouldIgnoreComment(comment, driver))
+                    continue;
+                const region = getOwnedRegion(comment, lines, maxOwnershipDistance, driver);
+                if (!region)
+                    continue;
+                const codeChanged = diffTouchesRange(fileDiff, region.startLine, region.endLine);
+                if (!codeChanged)
+                    continue;
+                const commentChanged = diffTouchesRange(fileDiff, comment.startLine, comment.endLine);
+                if (commentChanged)
+                    continue;
+                const approval = findApproval(approvalsStore, fileDiff.path, comment.startLine);
+                if (approval && isApprovalValid(approval, comment, lines, region))
+                    continue;
+                const changedInRegion = [];
+                for (let l = region.startLine; l <= region.endLine; l++) {
+                    if (fileDiff.changedLines.has(l))
+                        changedInRegion.push(l);
+                }
+                const rangeStr = changedInRegion.length === 1
+                    ? `${changedInRegion[0]}`
+                    : `${changedInRegion[0]}–${changedInRegion[changedInRegion.length - 1]}`;
+                findings.push({
+                    ruleId: 'CA-CD001',
+                    severity: 'error',
+                    file: fileDiff.path,
+                    line: comment.startLine,
+                    message: `Code changed at lines ${rangeStr} but leading comment was not updated.`,
+                    fix: `codeanchor approve ${fileDiff.path} ${comment.startLine}`,
+                });
+            }
+        }
+        return findings;
+    },
+};

package/dist/rules/ca-ci001.d.ts

@@ -0,0 +1,2 @@
+import type { Rule } from '../engine.js';
+export declare const caCi001: Rule;

package/dist/rules/ca-ci001.js

@@ -0,0 +1,86 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import yaml from 'js-yaml';
+import { isExcluded } from '../util/exclude.js';
+function findWorkflowFiles(root) {
+    const dir = path.join(root, '.github', 'workflows');
+    if (!fs.existsSync(dir))
+        return [];
+    return fs
+        .readdirSync(dir)
+        .filter(f => f.endsWith('.yml') || f.endsWith('.yaml'))
+        .map(f => path.join(dir, f));
+}
+const scriptPattern = /(?:npm run|pnpm run|yarn run|pnpm|yarn)\s+([a-zA-Z0-9:_-]+)/g;
+function extractScriptNames(runBlock) {
+    const names = [];
+    scriptPattern.lastIndex = 0;
+    let m;
+    while ((m = scriptPattern.exec(runBlock)) !== null) {
+        names.push(m[1]);
+    }
+    return names;
+}
+function findScriptLine(rawLines, scriptName) {
+    const re = new RegExp(`(?:npm run|pnpm run|yarn run|pnpm|yarn)\\s+${scriptName}(?:\\s|$)`);
+    for (let i = 0; i < rawLines.length; i++) {
+        if (re.test(rawLines[i]))
+            return i + 1;
+    }
+    return undefined;
+}
+export const caCi001 = {
+    id: 'CA-CI001',
+    description: 'GitHub Actions workflow references an npm script missing from package.json.',
+    defaultSeverity: 'error',
+    applicableModes: ['repo', 'pr'],
+    async run(ctx) {
+        const pkgPath = path.join(ctx.repoRoot, 'package.json');
+        if (!fs.existsSync(pkgPath))
+            return [];
+        let scripts = {};
+        try {
+            const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+            scripts = pkg.scripts ?? {};
+        }
+        catch {
+            return [];
+        }
+        const findings = [];
+        for (const wfFile of findWorkflowFiles(ctx.repoRoot)) {
+            const relPath = path.relative(ctx.repoRoot, wfFile);
+            if (isExcluded(relPath, ctx.config.exclude))
+                continue;
+            let doc;
+            const raw = fs.readFileSync(wfFile, 'utf-8');
+            try {
+                doc = yaml.load(raw);
+            }
+            catch {
+                continue;
+            }
+            if (!doc?.jobs)
+                continue;
+            const rawLines = raw.split('\n');
+            for (const job of Object.values(doc.jobs)) {
+                for (const step of job.steps ?? []) {
+                    if (!step.run)
+                        continue;
+                    for (const scriptName of extractScriptNames(step.run)) {
+                        if (!(scriptName in scripts)) {
+                            findings.push({
+                                ruleId: 'CA-CI001',
+                                severity: 'error',
+                                file: relPath,
+                                line: findScriptLine(rawLines, scriptName),
+                                message: `Script "${scriptName}" referenced in workflow but not found in package.json.`,
+                                detail: `Available: ${Object.keys(scripts).join(', ')}`,
+                            });
+                        }
+                    }
+                }
+            }
+        }
+        return findings;
+    },
+};

package/dist/rules/ca-ci003.d.ts

@@ -0,0 +1,2 @@
+import type { Rule } from '../engine.js';
+export declare const caCi003: Rule;

package/dist/rules/ca-ci003.js

@@ -0,0 +1,114 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import yaml from 'js-yaml';
+import { isExcluded } from '../util/exclude.js';
+// Patterns for local file references inside `run:` blocks.
+// Intentionally conservative to keep false positives low.
+// Path form: optional ./ or ../ prefix, then one or more dir/segments, then file.ext
+const LOCAL_PATH = /((?:\.{1,2}\/)?(?:[\w.-]+\/)+[\w.-]+\.\w+)/;
+const RUN_PATH_PATTERNS = [
+    // node scripts/foo.js  |  node ./scripts/foo.js
+    new RegExp(`\\bnode\\s+${LOCAL_PATH.source}`),
+    // ts-node / tsx
+    new RegExp(`\\b(?:ts-node|tsx)\\s+${LOCAL_PATH.source}`),
+    // bash/sh scripts/foo.sh  |  bash ./scripts/foo.sh
+    new RegExp(`\\b(?:bash|sh)\\s+${LOCAL_PATH.source}`),
+    // python tools/foo.py
+    new RegExp(`\\bpython3?\\s+${LOCAL_PATH.source}`),
+    // ./scripts/foo.sh  (bare relative invocation)
+    /(\.\/[\w./-]+\.\w+)/,
+];
+function findWorkflowFiles(root) {
+    const dir = path.join(root, '.github', 'workflows');
+    if (!fs.existsSync(dir))
+        return [];
+    return fs
+        .readdirSync(dir)
+        .filter(f => f.endsWith('.yml') || f.endsWith('.yaml'))
+        .map(f => path.join(dir, f));
+}
+function extractRunPaths(runBlock) {
+    const found = new Set();
+    for (const line of runBlock.split('\n')) {
+        for (const re of RUN_PATH_PATTERNS) {
+            const m = line.match(re);
+            if (m?.[1])
+                found.add(m[1]);
+        }
+    }
+    return [...found];
+}
+function findLineOf(rawLines, text) {
+    for (let i = 0; i < rawLines.length; i++) {
+        if (rawLines[i].includes(text))
+            return i + 1;
+    }
+    return undefined;
+}
+export const caCi003 = {
+    id: 'CA-CI003',
+    description: 'GitHub Actions workflow references a local path that does not exist.',
+    defaultSeverity: 'error',
+    applicableModes: ['repo', 'pr'],
+    async run(ctx) {
+        const findings = [];
+        for (const wfFile of findWorkflowFiles(ctx.repoRoot)) {
+            const relPath = path.relative(ctx.repoRoot, wfFile);
+            if (isExcluded(relPath, ctx.config.exclude))
+                continue;
+            const raw = fs.readFileSync(wfFile, 'utf-8');
+            let doc;
+            try {
+                doc = yaml.load(raw);
+            }
+            catch {
+                continue;
+            }
+            if (!doc?.jobs)
+                continue;
+            const rawLines = raw.split('\n');
+            function report(localPath, hint) {
+                const resolved = path.resolve(ctx.repoRoot, localPath);
+                if (!fs.existsSync(resolved)) {
+                    findings.push({
+                        ruleId: 'CA-CI003',
+                        severity: 'error',
+                        file: relPath,
+                        line: findLineOf(rawLines, localPath),
+                        message: `${hint} "${localPath}" does not exist.`,
+                    });
+                }
+            }
+            for (const job of Object.values(doc.jobs)) {
+                for (const step of job.steps ?? []) {
+                    // working-directory
+                    const wd = step['working-directory'];
+                    if (typeof wd === 'string' && (wd.startsWith('./') || wd.startsWith('../') || (!wd.startsWith('/') && !wd.includes('$')))) {
+                        report(wd, 'working-directory');
+                    }
+                    // with.path and with.cache-dependency-path
+                    if (step.with && typeof step.with === 'object') {
+                        for (const key of ['path', 'cache-dependency-path']) {
+                            const val = step.with[key];
+                            if (typeof val === 'string') {
+                                // may be multi-line (newline-separated list)
+                                for (const entry of val.split('\n').map(s => s.trim()).filter(Boolean)) {
+                                    if (entry.startsWith('./') || entry.startsWith('../')) {
+                                        report(entry, `with.${key}`);
+                                    }
+                                }
+                            }
+                        }
+                    }
+                    // run: block — extract conservatively matched local file references
+                    if (step.run) {
+                        for (const localPath of extractRunPaths(step.run)) {
+                            report(localPath, 'run: script reference');
+                        }
+                    }
+                }
+            }
+        }
+        return findings;
+    },
+};

package/dist/rules/ca-docker001.d.ts

@@ -0,0 +1,2 @@
+import type { Rule } from '../engine.js';
+export declare const caDocker001: Rule;

package/dist/rules/ca-docker001.js

@@ -0,0 +1,69 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { isExcluded } from '../util/exclude.js';
+function findDockerfiles(root) {
+    const files = [];
+    try {
+        for (const entry of fs.readdirSync(root, { withFileTypes: true })) {
+            if (entry.isFile() &&
+                (entry.name === 'Dockerfile' || entry.name.startsWith('Dockerfile.'))) {
+                files.push(path.join(root, entry.name));
+            }
+        }
+    }
+    catch { /* ignore unreadable root */ }
+    return files;
+}
+export const caDocker001 = {
+    id: 'CA-DOCKER001',
+    description: 'Dockerfile COPY or ADD references a source path that does not exist.',
+    defaultSeverity: 'warn',
+    applicableModes: ['repo', 'pr'],
+    async run(ctx) {
+        const findings = [];
+        for (const dockerFile of findDockerfiles(ctx.repoRoot)) {
+            const relPath = path.relative(ctx.repoRoot, dockerFile);
+            if (isExcluded(relPath, ctx.config.exclude))
+                continue;
+            const content = fs.readFileSync(dockerFile, 'utf-8');
+            const lines = content.split('\n');
+            for (let i = 0; i < lines.length; i++) {
+                const trimmed = lines[i].trim();
+                // Skip multi-stage COPY --from=
+                if (/^COPY\s+--from=/i.test(trimmed))
+                    continue;
+                let src = null;
+                if (/^COPY\s+/i.test(trimmed)) {
+                    // Strip inline flags like --chown= before splitting
+                    const withoutFlags = trimmed.replace(/--\w[\w-]*=\S+\s*/g, '');
+                    const parts = withoutFlags.split(/\s+/).slice(1);
+                    if (parts.length >= 2)
+                        src = parts[0];
+                }
+                else if (/^ADD\s+/i.test(trimmed)) {
+                    const parts = trimmed.split(/\s+/).slice(1);
+                    if (parts.length >= 2) {
+                        const candidate = parts[0];
+                        // Skip URLs
+                        if (/^https?:\/\//i.test(candidate))
+                            continue;
+                        src = candidate;
+                    }
+                }
+                if (src) {
+                    const resolved = path.join(ctx.repoRoot, src);
+                    if (!fs.existsSync(resolved)) {
+                        findings.push({
+                            ruleId: 'CA-DOCKER001',
+                            severity: 'warn',
+                            file: relPath,
+                            line: i + 1,
+                            message: `COPY source path "${src}" does not exist.`,
+                        });
+                    }
+                }
+            }
+        }
+        return findings;
+    },
+};

package/dist/rules/ca-docker002.d.ts

@@ -0,0 +1,2 @@
+import type { Rule } from '../engine.js';
+export declare const caDocker002: Rule;

package/dist/rules/ca-docker002.js

@@ -0,0 +1,121 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { isExcluded } from '../util/exclude.js';
+function findDockerfiles(root) {
+    const files = [];
+    try {
+        for (const entry of fs.readdirSync(root, { withFileTypes: true })) {
+            if (entry.isFile() &&
+                (entry.name === 'Dockerfile' || entry.name.startsWith('Dockerfile.'))) {
+                files.push(path.join(root, entry.name));
+            }
+        }
+    }
+    catch { /* ignore */ }
+    return files;
+}
+// RUN npm run <script> / RUN pnpm run <script> / RUN yarn run <script>
+// Also: RUN pnpm <script> / RUN yarn <script> (shorthand without "run")
+const PKG_SCRIPT_RE = /\b(?:npm run|pnpm run|yarn run|pnpm|yarn)\s+([a-zA-Z0-9:_-]+)/g;
+// CMD/ENTRYPOINT node dist/foo.js  (local relative path — no leading ./ required for CMD)
+// We only check paths that look like relative file paths (contain a dot in filename or start with .)
+const CMD_NODE_RE = /\bnode\s+((?:\.\/)?[\w./]+\.\w+)/;
+const CMD_TS_NODE_RE = /\b(?:ts-node|tsx)\s+((?:\.\/)?[\w./]+\.\w+)/;
+function extractScriptNamesFromRun(runLine) {
+    const names = [];
+    PKG_SCRIPT_RE.lastIndex = 0;
+    let m;
+    while ((m = PKG_SCRIPT_RE.exec(runLine)) !== null) {
+        names.push(m[1]);
+    }
+    return names;
+}
+function extractNodePathFromExec(cmd) {
+    let m = cmd.match(CMD_NODE_RE);
+    if (m)
+        return m[1];
+    m = cmd.match(CMD_TS_NODE_RE);
+    if (m)
+        return m[1];
+    return null;
+}
+// Parse CMD/ENTRYPOINT — handles both shell form and JSON array form
+function parseCmdEntrypoint(trimmed) {
+    // JSON array form: CMD ["node", "dist/index.js"]
+    const jsonMatch = trimmed.match(/^(?:CMD|ENTRYPOINT)\s+(\[.*\])\s*$/i);
+    if (jsonMatch) {
+        try {
+            const arr = JSON.parse(jsonMatch[1]);
+            return arr.join(' ');
+        }
+        catch { /* fall through to shell form */ }
+    }
+    // Shell form: CMD node dist/index.js
+    const shellMatch = trimmed.match(/^(?:CMD|ENTRYPOINT)\s+(.+)$/i);
+    return shellMatch ? shellMatch[1] : '';
+}
+export const caDocker002 = {
+    id: 'CA-DOCKER002',
+    description: 'Dockerfile RUN/CMD/ENTRYPOINT references a script or local file that does not exist.',
+    defaultSeverity: 'warn',
+    applicableModes: ['repo', 'pr'],
+    async run(ctx) {
+        const findings = [];
+        // Load scripts from package.json once
+        const pkgPath = path.join(ctx.repoRoot, 'package.json');
+        let scripts = {};
+        if (fs.existsSync(pkgPath) && !isExcluded('package.json', ctx.config.exclude)) {
+            try {
+                const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+                scripts = pkg.scripts ?? {};
+            }
+            catch { /* no scripts */ }
+        }
+        for (const dockerFile of findDockerfiles(ctx.repoRoot)) {
+            const relPath = path.relative(ctx.repoRoot, dockerFile);
+            if (isExcluded(relPath, ctx.config.exclude))
+                continue;
+            const content = fs.readFileSync(dockerFile, 'utf-8');
+            const lines = content.split('\n');
+            for (let i = 0; i < lines.length; i++) {
+                const trimmed = lines[i].trim();
+                const lineNum = i + 1;
+                // RUN lines — check npm/yarn/pnpm script references
+                if (/^RUN\s+/i.test(trimmed)) {
+                    const runBody = trimmed.replace(/^RUN\s+/i, '');
+                    for (const scriptName of extractScriptNamesFromRun(runBody)) {
+                        if (Object.keys(scripts).length > 0 && !(scriptName in scripts)) {
+                            findings.push({
+                                ruleId: 'CA-DOCKER002',
+                                severity: 'warn',
+                                file: relPath,
+                                line: lineNum,
+                                message: `RUN references npm script "${scriptName}" which is not in package.json.`,
+                                detail: `Available: ${Object.keys(scripts).join(', ')}`,
+                            });
+                        }
+                    }
+                    continue;
+                }
+                // CMD / ENTRYPOINT — check node local file references
+                if (/^(?:CMD|ENTRYPOINT)\s+/i.test(trimmed)) {
+                    const cmdStr = parseCmdEntrypoint(trimmed);
+                    const localFile = extractNodePathFromExec(cmdStr);
+                    if (localFile) {
+                        const resolved = path.resolve(ctx.repoRoot, localFile);
+                        if (!fs.existsSync(resolved)) {
+                            findings.push({
+                                ruleId: 'CA-DOCKER002',
+                                severity: 'warn',
+                                file: relPath,
+                                line: lineNum,
+                                message: `CMD/ENTRYPOINT references "${localFile}" which does not exist.`,
+                            });
+                        }
+                    }
+                }
+            }
+        }
+        return findings;
+    },
+};

package/dist/rules/ca-docs001.d.ts

@@ -0,0 +1,2 @@
+import type { Rule } from '../engine.js';
+export declare const caDocs001: Rule;