@getmikk/core 2.0.12 → 2.0.14

package/src/parser/types.ts

@@ -116,7 +116,7 @@ export interface ParsedRoute {
 /** Everything extracted from a single file */
 export interface ParsedFile {
   path: string;            // normalized absolute path
-  language: 'python' | 'go' | 'typescript' | 'javascript' | 'java' | 'c' | 'cpp' | 'csharp' | 'rust' | 'php' | 'ruby' | 'unknown';
+  language: 'python' | 'go' | 'typescript' | 'javascript' | 'java' | 'kotlin' | 'swift' | 'c' | 'cpp' | 'csharp' | 'rust' | 'php' | 'ruby' | 'unknown';
   functions: ParsedFunction[];
   classes: ParsedClass[];
   variables: ParsedVariable[];

package/src/security/index.ts

@@ -0,0 +1 @@
+export { SecurityScanner, type SecurityFinding, type SecurityReport } from './scanner.js'

package/src/security/scanner.ts

@@ -0,0 +1,342 @@
+// ---------------------------------------------------------------------------
+// Security Vulnerability Scanning — foundation for detecting common patterns
+// ---------------------------------------------------------------------------
+
+export interface SecurityFinding {
+  id: string
+  severity: 'critical' | 'high' | 'medium' | 'low' | 'info'
+  category: string
+  title: string
+  description: string
+  file: string
+  line: number
+  column?: number
+  code: string
+  suggestion?: string
+  cwe?: string
+  cve?: string
+}
+
+export interface SecurityReport {
+  findings: SecurityFinding[]
+  summary: {
+    total: number
+    critical: number
+    high: number
+    medium: number
+    low: number
+    info: number
+  }
+  scannedFiles: number
+  scanDuration: number
+}
+
+// ---------------------------------------------------------------------------
+// Pattern definitions for common vulnerability categories
+// ---------------------------------------------------------------------------
+
+interface VulnerabilityPattern {
+  id: string
+  severity: SecurityFinding['severity']
+  category: string
+  title: string
+  description: string
+  regex: RegExp
+  suggestion?: string
+  cwe?: string
+  languages?: string[]
+}
+
+const VULNERABILITY_PATTERNS: VulnerabilityPattern[] = [
+  // SQL Injection
+  {
+    id: 'sql-injection',
+    severity: 'critical',
+    category: 'injection',
+    title: 'Potential SQL Injection',
+    description: 'String concatenation in SQL query detected. Use parameterized queries instead.',
+    regex: /(?:execute|query|cursor\.execute)\s*\(\s*["'].*(?:\+|\$\{)/,
+    suggestion: 'Use parameterized queries: cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))',
+    cwe: 'CWE-89',
+    languages: ['python', 'javascript', 'typescript'],
+  },
+  {
+    id: 'sql-injection-fstring',
+    severity: 'critical',
+    category: 'injection',
+    title: 'SQL Injection via f-string',
+    description: 'f-string used in SQL query. Use parameterized queries.',
+    regex: /(?:execute|query)\s*\(\s*f["']/,
+    suggestion: 'Use parameterized queries instead of f-strings in SQL.',
+    cwe: 'CWE-89',
+    languages: ['python'],
+  },
+
+  // Command Injection
+  {
+    id: 'command-injection',
+    severity: 'critical',
+    category: 'injection',
+    title: 'Potential Command Injection',
+    description: 'User input may be passed to shell command. Use subprocess with list args instead.',
+    regex: /(?:os\.system|subprocess\.call|subprocess\.Popen|exec|eval)\s*\(\s*(?:.*\+|.*\$\{)/,
+    suggestion: 'Use subprocess.run() with a list of arguments instead of shell=True.',
+    cwe: 'CWE-78',
+    languages: ['python'],
+  },
+  {
+    id: 'eval-usage',
+    severity: 'high',
+    category: 'injection',
+    title: 'Use of eval()',
+    description: 'eval() can execute arbitrary code. Use ast.literal_eval() for safe parsing.',
+    regex: /\beval\s*\(/,
+    suggestion: 'Use ast.literal_eval() for parsing Python literals, or json.loads() for JSON.',
+    cwe: 'CWE-95',
+    languages: ['python', 'javascript', 'typescript'],
+  },
+
+  // Hardcoded Secrets
+  {
+    id: 'hardcoded-password',
+    severity: 'high',
+    category: 'secrets',
+    title: 'Hardcoded Password',
+    description: 'Password appears to be hardcoded in source code.',
+    regex: /(?:password|passwd|pwd)\s*[:=]\s*["'][^"']{3,}["']/i,
+    suggestion: 'Use environment variables or a secrets manager.',
+    cwe: 'CWE-798',
+  },
+  {
+    id: 'hardcoded-api-key',
+    severity: 'high',
+    category: 'secrets',
+    title: 'Hardcoded API Key',
+    description: 'API key or token appears to be hardcoded.',
+    regex: /(?:api[_-]?key|api[_-]?secret|access[_-]?token|auth[_-]?token)\s*[:=]\s*["'][A-Za-z0-9_-]{8,}["']/i,
+    suggestion: 'Use environment variables or a secrets manager.',
+    cwe: 'CWE-798',
+  },
+  {
+    id: 'aws-key',
+    severity: 'critical',
+    category: 'secrets',
+    title: 'AWS Access Key',
+    description: 'AWS access key pattern detected.',
+    regex: /AKIA[0-9A-Z]{16}/,
+    suggestion: 'Remove AWS credentials from source code. Use IAM roles or environment variables.',
+    cwe: 'CWE-798',
+  },
+  {
+    id: 'private-key',
+    severity: 'critical',
+    category: 'secrets',
+    title: 'Private Key',
+    description: 'Private key content detected in source code.',
+    regex: /-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----/,
+    suggestion: 'Never embed private keys in source code. Use a secrets manager.',
+    cwe: 'CWE-798',
+  },
+
+  // XSS
+  {
+    id: 'xss-innerhtml',
+    severity: 'high',
+    category: 'xss',
+    title: 'Potential XSS via innerHTML',
+    description: 'Setting innerHTML with dynamic content can lead to XSS.',
+    regex: /\.innerHTML\s*=\s*(?!["']\s*;?\s*$)/,
+    suggestion: 'Use textContent or sanitize HTML with DOMPurify.',
+    cwe: 'CWE-79',
+    languages: ['javascript', 'typescript'],
+  },
+  {
+    id: 'xss-dangerouslySetInnerHTML',
+    severity: 'high',
+    category: 'xss',
+    title: 'Potential XSS via dangerouslySetInnerHTML',
+    description: 'dangerouslySetInnerHTML with dynamic content can lead to XSS.',
+    regex: /dangerouslySetInnerHTML\s*=\s*\{\{?\s*__html\s*:/,
+    suggestion: 'Sanitize HTML content with DOMPurify before using dangerouslySetInnerHTML.',
+    cwe: 'CWE-79',
+    languages: ['javascript', 'typescript'],
+  },
+
+  // Insecure Random
+  {
+    id: 'insecure-random',
+    severity: 'medium',
+    category: 'crypto',
+    title: 'Insecure Random Number Generator',
+    description: 'Math.random() is not cryptographically secure.',
+    regex: /Math\.random\s*\(\)/,
+    suggestion: 'Use crypto.getRandomValues() for security-sensitive operations.',
+    cwe: 'CWE-330',
+    languages: ['javascript', 'typescript'],
+  },
+
+  // Path Traversal
+  {
+    id: 'path-traversal',
+    severity: 'high',
+    category: 'path-traversal',
+    title: 'Potential Path Traversal',
+    description: 'User input used in file path without sanitization.',
+    regex: /(?:readFile|readFileSync|open|writeFile|writeFileSync)\s*\(\s*(?:.*\+|.*\$\{)/,
+    suggestion: 'Validate and sanitize file paths. Use path.resolve() with a whitelist.',
+    cwe: 'CWE-22',
+    languages: ['javascript', 'typescript', 'python'],
+  },
+
+  // Weak Cryptography
+  {
+    id: 'weak-hash-md5',
+    severity: 'medium',
+    category: 'crypto',
+    title: 'Weak Hashing Algorithm (MD5)',
+    description: 'MD5 is cryptographically broken. Use SHA-256 or better.',
+    regex: /(?:md5|MD5|hashlib\.md5)/,
+    suggestion: 'Use SHA-256 or SHA-3 for cryptographic hashing.',
+    cwe: 'CWE-328',
+  },
+  {
+    id: 'weak-hash-sha1',
+    severity: 'medium',
+    category: 'crypto',
+    title: 'Weak Hashing Algorithm (SHA-1)',
+    description: 'SHA-1 is deprecated for cryptographic use. Use SHA-256 or better.',
+    regex: /(?:sha1|SHA1|hashlib\.sha1)/,
+    suggestion: 'Use SHA-256 or SHA-3 for cryptographic hashing.',
+    cwe: 'CWE-328',
+  },
+
+  // Debug/Console in Production
+  {
+    id: 'console-log',
+    severity: 'info',
+    category: 'best-practice',
+    title: 'Console Log Statement',
+    description: 'Console.log statements should be removed before production.',
+    regex: /console\.(log|debug|info|warn)\s*\(/,
+    suggestion: 'Use a proper logging framework and remove debug statements.',
+    languages: ['javascript', 'typescript'],
+  },
+  {
+    id: 'print-debug',
+    severity: 'info',
+    category: 'best-practice',
+    title: 'Print Debug Statement',
+    description: 'Print statements should be removed before production.',
+    regex: /print\s*\(\s*["'][^"']*["']\s*\)/,
+    suggestion: 'Use the logging module instead of print statements.',
+    languages: ['python'],
+  },
+
+  // TODO/FIXME/HACK
+  {
+    id: 'todo-comment',
+    severity: 'info',
+    category: 'best-practice',
+    title: 'TODO Comment',
+    description: 'TODO comment found. Consider addressing this.',
+    regex: /\/\/\s*TODO|\/\*\s*TODO|#\s*TODO/i,
+    languages: ['javascript', 'typescript', 'python', 'go', 'java', 'rust'],
+  },
+]
+
+// ---------------------------------------------------------------------------
+// Scanner
+// ---------------------------------------------------------------------------
+
+export class SecurityScanner {
+  private patterns: VulnerabilityPattern[]
+
+  constructor(customPatterns?: VulnerabilityPattern[]) {
+    this.patterns = customPatterns ?? VULNERABILITY_PATTERNS
+  }
+
+  /**
+   * Scan a single file's content for security issues.
+   */
+  scanFile(filePath: string, content: string, language?: string): SecurityFinding[] {
+    const findings: SecurityFinding[] = []
+    const lines = content.split('\n')
+
+    for (const pattern of this.patterns) {
+      // Skip if language filter doesn't match
+      if (pattern.languages && language && !pattern.languages.includes(language)) {
+        continue
+      }
+
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i]
+        const match = line.match(pattern.regex)
+        if (match) {
+          findings.push({
+            id: `${pattern.id}-${filePath}:${i + 1}`,
+            severity: pattern.severity,
+            category: pattern.category,
+            title: pattern.title,
+            description: pattern.description,
+            file: filePath,
+            line: i + 1,
+            column: match.index,
+            code: line.trim(),
+            suggestion: pattern.suggestion,
+            cwe: pattern.cwe,
+          })
+        }
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Scan multiple files.
+   */
+  scanFiles(
+    files: Array<{ path: string; content: string; language?: string }>
+  ): SecurityReport {
+    const startTime = Date.now()
+    const allFindings: SecurityFinding[] = []
+
+    for (const file of files) {
+      const findings = this.scanFile(file.path, file.content, file.language)
+      allFindings.push(...findings)
+    }
+
+    const summary = {
+      total: allFindings.length,
+      critical: allFindings.filter(f => f.severity === 'critical').length,
+      high: allFindings.filter(f => f.severity === 'high').length,
+      medium: allFindings.filter(f => f.severity === 'medium').length,
+      low: allFindings.filter(f => f.severity === 'low').length,
+      info: allFindings.filter(f => f.severity === 'info').length,
+    }
+
+    return {
+      findings: allFindings.sort((a, b) => {
+        const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, info: 4 }
+        return severityOrder[a.severity] - severityOrder[b.severity]
+      }),
+      summary,
+      scannedFiles: files.length,
+      scanDuration: Date.now() - startTime,
+    }
+  }
+
+  /**
+   * Add custom vulnerability patterns.
+   */
+  addPattern(pattern: VulnerabilityPattern): void {
+    this.patterns.push(pattern)
+  }
+
+  /**
+   * Get all available patterns.
+   */
+  getPatterns(): VulnerabilityPattern[] {
+    return [...this.patterns]
+  }
+}

package/src/utils/artifact-transaction.ts

@@ -0,0 +1,176 @@
+import * as fs from 'node:fs/promises'
+import * as path from 'node:path'
+import { randomUUID } from 'node:crypto'
+import { writeFileAtomic } from './atomic-write.js'
+
+export type ArtifactTransactionStatus = 'begin' | 'staged' | 'commit-ready'
+
+export interface ArtifactWriteInput {
+    targetPath: string
+    content: string
+    encoding?: BufferEncoding
+}
+
+interface ArtifactWriteJournal {
+    targetPath: string
+    stagedPath: string
+    encoding: BufferEncoding
+}
+
+interface ArtifactTransactionJournal {
+    id: string
+    name: string
+    createdAt: string
+    status: ArtifactTransactionStatus
+    writes: ArtifactWriteJournal[]
+    committedAt?: string
+}
+
+export interface ArtifactTransactionOptions {
+    simulateCrashAt?: 'after-begin' | 'after-stage' | 'after-commit-marker'
+}
+
+export interface RecoverySummary {
+    recovered: number
+    rolledBack: number
+    removedJournals: number
+}
+
+function getTransactionDirectory(projectRoot: string): string {
+    return path.join(projectRoot, '.mikk', 'transactions')
+}
+
+async function writeJournal(journalPath: string, journal: ArtifactTransactionJournal): Promise<void> {
+    await writeFileAtomic(journalPath, JSON.stringify(journal, null, 2), { encoding: 'utf-8' })
+}
+
+function makeStagedPath(targetPath: string, id: string): string {
+    const dir = path.dirname(targetPath)
+    const base = path.basename(targetPath)
+    return path.join(dir, `.${base}.txn-${id}.staged`)
+}
+
+export async function runArtifactWriteTransaction(
+    projectRoot: string,
+    name: string,
+    writes: ArtifactWriteInput[],
+    options: ArtifactTransactionOptions = {},
+): Promise<void> {
+    if (writes.length === 0) return
+
+    const txDir = getTransactionDirectory(projectRoot)
+    await fs.mkdir(txDir, { recursive: true })
+
+    const id = `${Date.now()}-${randomUUID().slice(0, 8)}`
+    const journalPath = path.join(txDir, `${id}.journal.json`)
+    const journal: ArtifactTransactionJournal = {
+        id,
+        name,
+        createdAt: new Date().toISOString(),
+        status: 'begin',
+        writes: writes.map((w) => ({
+            targetPath: w.targetPath,
+            stagedPath: makeStagedPath(w.targetPath, id),
+            encoding: w.encoding ?? 'utf-8',
+        })),
+    }
+
+    await writeJournal(journalPath, journal)
+    if (options.simulateCrashAt === 'after-begin') {
+        throw new Error('Simulated crash after begin')
+    }
+
+    for (let i = 0; i < writes.length; i++) {
+        const input = writes[i]
+        const record = journal.writes[i]
+        await fs.mkdir(path.dirname(record.stagedPath), { recursive: true })
+        await writeFileAtomic(record.stagedPath, input.content, { encoding: record.encoding })
+    }
+
+    journal.status = 'staged'
+    await writeJournal(journalPath, journal)
+    if (options.simulateCrashAt === 'after-stage') {
+        throw new Error('Simulated crash after stage')
+    }
+
+    journal.status = 'commit-ready'
+    journal.committedAt = new Date().toISOString()
+    await writeJournal(journalPath, journal)
+    if (options.simulateCrashAt === 'after-commit-marker') {
+        throw new Error('Simulated crash after commit marker')
+    }
+
+    for (const write of journal.writes) {
+        await fs.rename(write.stagedPath, write.targetPath)
+    }
+
+    await fs.unlink(journalPath)
+}
+
+export async function recoverArtifactWriteTransactions(projectRoot: string): Promise<RecoverySummary> {
+    const txDir = getTransactionDirectory(projectRoot)
+    const summary: RecoverySummary = {
+        recovered: 0,
+        rolledBack: 0,
+        removedJournals: 0,
+    }
+
+    let entries: string[] = []
+    try {
+        entries = await fs.readdir(txDir)
+    } catch {
+        return summary
+    }
+
+    const journals = entries.filter((name) => name.endsWith('.journal.json'))
+
+    for (const file of journals) {
+        const journalPath = path.join(txDir, file)
+        let journal: ArtifactTransactionJournal | null = null
+        try {
+            const raw = await fs.readFile(journalPath, 'utf-8')
+            journal = JSON.parse(raw) as ArtifactTransactionJournal
+        } catch {
+            try {
+                await fs.unlink(journalPath)
+                summary.removedJournals += 1
+            } catch {
+                // Ignore broken journal cleanup failures.
+            }
+            continue
+        }
+
+        try {
+            if (journal.status === 'commit-ready') {
+                for (const write of journal.writes) {
+                    try {
+                        await fs.rename(write.stagedPath, write.targetPath)
+                    } catch (err: any) {
+                        if (err?.code !== 'ENOENT') {
+                            throw err
+                        }
+                    }
+                }
+                summary.recovered += 1
+            } else {
+                for (const write of journal.writes) {
+                    try {
+                        await fs.unlink(write.stagedPath)
+                    } catch {
+                        // Ignore missing staged files.
+                    }
+                }
+                summary.rolledBack += 1
+            }
+        } finally {
+            try {
+                await fs.unlink(journalPath)
+                summary.removedJournals += 1
+            } catch {
+                // Ignore missing journal file.
+            }
+        }
+    }
+
+    return summary
+}

package/src/utils/atomic-write.ts

@@ -0,0 +1,131 @@
+import * as fs from 'node:fs/promises'
+import * as path from 'node:path'
+import { randomUUID } from 'node:crypto'
+
+export interface AtomicWriteOptions {
+    encoding?: BufferEncoding
+    mode?: number
+    lockTimeoutMs?: number
+    staleLockMs?: number
+    retryDelayMs?: number
+}
+
+const DEFAULT_LOCK_TIMEOUT_MS = 10_000
+const DEFAULT_STALE_LOCK_MS = 60_000
+const DEFAULT_RETRY_DELAY_MS = 50
+
+const sleep = (ms: number) => new Promise(resolve => setTimeout(resolve, ms))
+
+async function acquireFileLock(lockPath: string, options: AtomicWriteOptions): Promise<() => Promise<void>> {
+    const lockTimeoutMs = options.lockTimeoutMs ?? DEFAULT_LOCK_TIMEOUT_MS
+    const staleLockMs = options.staleLockMs ?? DEFAULT_STALE_LOCK_MS
+    const retryDelayMs = options.retryDelayMs ?? DEFAULT_RETRY_DELAY_MS
+    const startedAt = Date.now()
+
+    while (true) {
+        try {
+            const fd = await fs.open(lockPath, 'wx')
+            try {
+                const payload = JSON.stringify({ pid: process.pid, acquiredAt: new Date().toISOString() })
+                await fd.writeFile(payload, { encoding: 'utf-8' })
+                await fd.sync()
+            } finally {
+                await fd.close()
+            }
+
+            return async () => {
+                try {
+                    await fs.unlink(lockPath)
+                } catch {
+                    // Ignore missing locks on release.
+                }
+            }
+        } catch (err: any) {
+            if (err?.code !== 'EEXIST') {
+                throw err
+            }
+
+            try {
+                const stat = await fs.stat(lockPath)
+                const ageMs = Date.now() - stat.mtimeMs
+                if (ageMs > staleLockMs) {
+                    await fs.unlink(lockPath)
+                    continue
+                }
+            } catch {
+                // Lock disappeared between stat/unlink checks — retry acquisition.
+            }
+
+            if (Date.now() - startedAt > lockTimeoutMs) {
+                throw new Error(`Timed out acquiring write lock for ${path.basename(lockPath)}`)
+            }
+
+            await sleep(retryDelayMs)
+        }
+    }
+}
+
+/**
+ * Write a file atomically with a lock-file critical section.
+ *
+ * Guarantees:
+ * - Atomicity: write to temp file then rename
+ * - Isolation: one writer at a time via lock file
+ * - Durability: fsync temp file and parent directory (best effort)
+ */
+export async function writeFileAtomic(
+    targetPath: string,
+    content: string,
+    options: AtomicWriteOptions = {}
+): Promise<void> {
+    const directory = path.dirname(targetPath)
+    const baseName = path.basename(targetPath)
+    const lockPath = `${targetPath}.lock`
+    const tempPath = path.join(
+        directory,
+        `.${baseName}.${process.pid}.${Date.now()}.${randomUUID().slice(0, 8)}.tmp`
+    )
+
+    await fs.mkdir(directory, { recursive: true })
+    const releaseLock = await acquireFileLock(lockPath, options)
+
+    try {
+        const fd = await fs.open(tempPath, 'w', options.mode)
+        try {
+            await fd.writeFile(content, { encoding: options.encoding ?? 'utf-8' })
+            await fd.sync()
+        } finally {
+            await fd.close()
+        }
+
+        await fs.rename(tempPath, targetPath)
+
+        // Best-effort directory fsync for rename durability.
+        try {
+            const dirFd = await fs.open(directory, 'r')
+            try {
+                await dirFd.sync()
+            } finally {
+                await dirFd.close()
+            }
+        } catch {
+            // Directory fsync can fail on some platforms/filesystems.
+        }
+    } finally {
+        try {
+            await fs.unlink(tempPath)
+        } catch {
+            // Temp file may already be moved/removed.
+        }
+        await releaseLock()
+    }
+}
+
+export async function writeJsonAtomic(
+    targetPath: string,
+    value: unknown,
+    options: AtomicWriteOptions = {}
+): Promise<void> {
+    const payload = JSON.stringify(value)
+    await writeFileAtomic(targetPath, payload, options)
+}