@getmikk/core 2.0.13 → 2.0.14

package/src/parser/tree-sitter/parser.ts

@@ -519,13 +519,41 @@ export class TreeSitterParser extends BaseParser {
         try {
             const nameForFile = name.replace(/-/g, '_')
             
-            // Try multiple possible WASM locations
-            const possiblePaths = [
-                path.resolve('node_modules/tree-sitter-wasms/out', `tree-sitter-${nameForFile}.wasm`),
-                path.resolve('./node_modules/tree-sitter-wasms/out', `tree-sitter-${nameForFile}.wasm`),
-                path.resolve(process.cwd(), 'node_modules/tree-sitter-wasms/out', `tree-sitter-${nameForFile}.wasm`),
-                path.resolve(process.cwd(), 'node_modules', 'tree-sitter-wasms', 'out', `tree-sitter-${nameForFile}.wasm`),
-            ]
+            // Try multiple possible WASM locations, including parent directories and siblings for monorepos
+            const baseDirs = new Set<string>()
+            baseDirs.add(process.cwd())
+            
+            // Add parent directories (up to 4 levels) for monorepo setups
+            let current = process.cwd()
+            let parentDir = ''
+            for (let i = 0; i < 4; i++) {
+                parentDir = path.dirname(current)
+                if (parentDir === current) break
+                baseDirs.add(parentDir)
+                baseDirs.add(path.join(parentDir, 'node_modules'))
+                
+                // Also check sibling directories in the parent for monorepo setups
+                // (e.g., metis and Mesh are siblings under the same parent)
+                try {
+                    const fs = await import('node:fs')
+                    const entries = fs.readdirSync(parentDir, { withFileTypes: true })
+                    for (const entry of entries) {
+                        if (entry.isDirectory() && entry.name !== path.basename(current)) {
+                            baseDirs.add(path.join(parentDir, entry.name, 'node_modules'))
+                        }
+                    }
+                } catch { /* skip */ }
+                
+                current = parentDir
+            }
+
+            const possiblePaths: string[] = []
+            for (const baseDir of baseDirs) {
+                if (!baseDir) continue
+                possiblePaths.push(
+                    path.join(baseDir, 'node_modules/tree-sitter-wasms/out', `tree-sitter-${nameForFile}.wasm`),
+                )
+            }
             
             let wasmPath = ''
             for (const p of possiblePaths) {
@@ -563,7 +591,6 @@ export class TreeSitterParser extends BaseParser {
             
             if (!wasmPath) {
                 // WASM not found - but don't mark as permanent error, just skip this language
-                console.warn(`Tree-sitter WASM not found for ${name}`)
                 return null
             }
             

package/src/security/index.ts

@@ -0,0 +1 @@
+export { SecurityScanner, type SecurityFinding, type SecurityReport } from './scanner.js'

package/src/security/scanner.ts

@@ -0,0 +1,342 @@
+// ---------------------------------------------------------------------------
+// Security Vulnerability Scanning — foundation for detecting common patterns
+// ---------------------------------------------------------------------------
+
+export interface SecurityFinding {
+  id: string
+  severity: 'critical' | 'high' | 'medium' | 'low' | 'info'
+  category: string
+  title: string
+  description: string
+  file: string
+  line: number
+  column?: number
+  code: string
+  suggestion?: string
+  cwe?: string
+  cve?: string
+}
+
+export interface SecurityReport {
+  findings: SecurityFinding[]
+  summary: {
+    total: number
+    critical: number
+    high: number
+    medium: number
+    low: number
+    info: number
+  }
+  scannedFiles: number
+  scanDuration: number
+}
+
+// ---------------------------------------------------------------------------
+// Pattern definitions for common vulnerability categories
+// ---------------------------------------------------------------------------
+
+interface VulnerabilityPattern {
+  id: string
+  severity: SecurityFinding['severity']
+  category: string
+  title: string
+  description: string
+  regex: RegExp
+  suggestion?: string
+  cwe?: string
+  languages?: string[]
+}
+
+const VULNERABILITY_PATTERNS: VulnerabilityPattern[] = [
+  // SQL Injection
+  {
+    id: 'sql-injection',
+    severity: 'critical',
+    category: 'injection',
+    title: 'Potential SQL Injection',
+    description: 'String concatenation in SQL query detected. Use parameterized queries instead.',
+    regex: /(?:execute|query|cursor\.execute)\s*\(\s*["'].*(?:\+|\$\{)/,
+    suggestion: 'Use parameterized queries: cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))',
+    cwe: 'CWE-89',
+    languages: ['python', 'javascript', 'typescript'],
+  },
+  {
+    id: 'sql-injection-fstring',
+    severity: 'critical',
+    category: 'injection',
+    title: 'SQL Injection via f-string',
+    description: 'f-string used in SQL query. Use parameterized queries.',
+    regex: /(?:execute|query)\s*\(\s*f["']/,
+    suggestion: 'Use parameterized queries instead of f-strings in SQL.',
+    cwe: 'CWE-89',
+    languages: ['python'],
+  },
+
+  // Command Injection
+  {
+    id: 'command-injection',
+    severity: 'critical',
+    category: 'injection',
+    title: 'Potential Command Injection',
+    description: 'User input may be passed to shell command. Use subprocess with list args instead.',
+    regex: /(?:os\.system|subprocess\.call|subprocess\.Popen|exec|eval)\s*\(\s*(?:.*\+|.*\$\{)/,
+    suggestion: 'Use subprocess.run() with a list of arguments instead of shell=True.',
+    cwe: 'CWE-78',
+    languages: ['python'],
+  },
+  {
+    id: 'eval-usage',
+    severity: 'high',
+    category: 'injection',
+    title: 'Use of eval()',
+    description: 'eval() can execute arbitrary code. Use ast.literal_eval() for safe parsing.',
+    regex: /\beval\s*\(/,
+    suggestion: 'Use ast.literal_eval() for parsing Python literals, or json.loads() for JSON.',
+    cwe: 'CWE-95',
+    languages: ['python', 'javascript', 'typescript'],
+  },
+
+  // Hardcoded Secrets
+  {
+    id: 'hardcoded-password',
+    severity: 'high',
+    category: 'secrets',
+    title: 'Hardcoded Password',
+    description: 'Password appears to be hardcoded in source code.',
+    regex: /(?:password|passwd|pwd)\s*[:=]\s*["'][^"']{3,}["']/i,
+    suggestion: 'Use environment variables or a secrets manager.',
+    cwe: 'CWE-798',
+  },
+  {
+    id: 'hardcoded-api-key',
+    severity: 'high',
+    category: 'secrets',
+    title: 'Hardcoded API Key',
+    description: 'API key or token appears to be hardcoded.',
+    regex: /(?:api[_-]?key|api[_-]?secret|access[_-]?token|auth[_-]?token)\s*[:=]\s*["'][A-Za-z0-9_-]{8,}["']/i,
+    suggestion: 'Use environment variables or a secrets manager.',
+    cwe: 'CWE-798',
+  },
+  {
+    id: 'aws-key',
+    severity: 'critical',
+    category: 'secrets',
+    title: 'AWS Access Key',
+    description: 'AWS access key pattern detected.',
+    regex: /AKIA[0-9A-Z]{16}/,
+    suggestion: 'Remove AWS credentials from source code. Use IAM roles or environment variables.',
+    cwe: 'CWE-798',
+  },
+  {
+    id: 'private-key',
+    severity: 'critical',
+    category: 'secrets',
+    title: 'Private Key',
+    description: 'Private key content detected in source code.',
+    regex: /-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----/,
+    suggestion: 'Never embed private keys in source code. Use a secrets manager.',
+    cwe: 'CWE-798',
+  },
+
+  // XSS
+  {
+    id: 'xss-innerhtml',
+    severity: 'high',
+    category: 'xss',
+    title: 'Potential XSS via innerHTML',
+    description: 'Setting innerHTML with dynamic content can lead to XSS.',
+    regex: /\.innerHTML\s*=\s*(?!["']\s*;?\s*$)/,
+    suggestion: 'Use textContent or sanitize HTML with DOMPurify.',
+    cwe: 'CWE-79',
+    languages: ['javascript', 'typescript'],
+  },
+  {
+    id: 'xss-dangerouslySetInnerHTML',
+    severity: 'high',
+    category: 'xss',
+    title: 'Potential XSS via dangerouslySetInnerHTML',
+    description: 'dangerouslySetInnerHTML with dynamic content can lead to XSS.',
+    regex: /dangerouslySetInnerHTML\s*=\s*\{\{?\s*__html\s*:/,
+    suggestion: 'Sanitize HTML content with DOMPurify before using dangerouslySetInnerHTML.',
+    cwe: 'CWE-79',
+    languages: ['javascript', 'typescript'],
+  },
+
+  // Insecure Random
+  {
+    id: 'insecure-random',
+    severity: 'medium',
+    category: 'crypto',
+    title: 'Insecure Random Number Generator',
+    description: 'Math.random() is not cryptographically secure.',
+    regex: /Math\.random\s*\(\)/,
+    suggestion: 'Use crypto.getRandomValues() for security-sensitive operations.',
+    cwe: 'CWE-330',
+    languages: ['javascript', 'typescript'],
+  },
+
+  // Path Traversal
+  {
+    id: 'path-traversal',
+    severity: 'high',
+    category: 'path-traversal',
+    title: 'Potential Path Traversal',
+    description: 'User input used in file path without sanitization.',
+    regex: /(?:readFile|readFileSync|open|writeFile|writeFileSync)\s*\(\s*(?:.*\+|.*\$\{)/,
+    suggestion: 'Validate and sanitize file paths. Use path.resolve() with a whitelist.',
+    cwe: 'CWE-22',
+    languages: ['javascript', 'typescript', 'python'],
+  },
+
+  // Weak Cryptography
+  {
+    id: 'weak-hash-md5',
+    severity: 'medium',
+    category: 'crypto',
+    title: 'Weak Hashing Algorithm (MD5)',
+    description: 'MD5 is cryptographically broken. Use SHA-256 or better.',
+    regex: /(?:md5|MD5|hashlib\.md5)/,
+    suggestion: 'Use SHA-256 or SHA-3 for cryptographic hashing.',
+    cwe: 'CWE-328',
+  },
+  {
+    id: 'weak-hash-sha1',
+    severity: 'medium',
+    category: 'crypto',
+    title: 'Weak Hashing Algorithm (SHA-1)',
+    description: 'SHA-1 is deprecated for cryptographic use. Use SHA-256 or better.',
+    regex: /(?:sha1|SHA1|hashlib\.sha1)/,
+    suggestion: 'Use SHA-256 or SHA-3 for cryptographic hashing.',
+    cwe: 'CWE-328',
+  },
+
+  // Debug/Console in Production
+  {
+    id: 'console-log',
+    severity: 'info',
+    category: 'best-practice',
+    title: 'Console Log Statement',
+    description: 'Console.log statements should be removed before production.',
+    regex: /console\.(log|debug|info|warn)\s*\(/,
+    suggestion: 'Use a proper logging framework and remove debug statements.',
+    languages: ['javascript', 'typescript'],
+  },
+  {
+    id: 'print-debug',
+    severity: 'info',
+    category: 'best-practice',
+    title: 'Print Debug Statement',
+    description: 'Print statements should be removed before production.',
+    regex: /print\s*\(\s*["'][^"']*["']\s*\)/,
+    suggestion: 'Use the logging module instead of print statements.',
+    languages: ['python'],
+  },
+
+  // TODO/FIXME/HACK
+  {
+    id: 'todo-comment',
+    severity: 'info',
+    category: 'best-practice',
+    title: 'TODO Comment',
+    description: 'TODO comment found. Consider addressing this.',
+    regex: /\/\/\s*TODO|\/\*\s*TODO|#\s*TODO/i,
+    languages: ['javascript', 'typescript', 'python', 'go', 'java', 'rust'],
+  },
+]
+
+// ---------------------------------------------------------------------------
+// Scanner
+// ---------------------------------------------------------------------------
+
+export class SecurityScanner {
+  private patterns: VulnerabilityPattern[]
+
+  constructor(customPatterns?: VulnerabilityPattern[]) {
+    this.patterns = customPatterns ?? VULNERABILITY_PATTERNS
+  }
+
+  /**
+   * Scan a single file's content for security issues.
+   */
+  scanFile(filePath: string, content: string, language?: string): SecurityFinding[] {
+    const findings: SecurityFinding[] = []
+    const lines = content.split('\n')
+
+    for (const pattern of this.patterns) {
+      // Skip if language filter doesn't match
+      if (pattern.languages && language && !pattern.languages.includes(language)) {
+        continue
+      }
+
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i]
+        const match = line.match(pattern.regex)
+        if (match) {
+          findings.push({
+            id: `${pattern.id}-${filePath}:${i + 1}`,
+            severity: pattern.severity,
+            category: pattern.category,
+            title: pattern.title,
+            description: pattern.description,
+            file: filePath,
+            line: i + 1,
+            column: match.index,
+            code: line.trim(),
+            suggestion: pattern.suggestion,
+            cwe: pattern.cwe,
+          })
+        }
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Scan multiple files.
+   */
+  scanFiles(
+    files: Array<{ path: string; content: string; language?: string }>
+  ): SecurityReport {
+    const startTime = Date.now()
+    const allFindings: SecurityFinding[] = []
+
+    for (const file of files) {
+      const findings = this.scanFile(file.path, file.content, file.language)
+      allFindings.push(...findings)
+    }
+
+    const summary = {
+      total: allFindings.length,
+      critical: allFindings.filter(f => f.severity === 'critical').length,
+      high: allFindings.filter(f => f.severity === 'high').length,
+      medium: allFindings.filter(f => f.severity === 'medium').length,
+      low: allFindings.filter(f => f.severity === 'low').length,
+      info: allFindings.filter(f => f.severity === 'info').length,
+    }
+
+    return {
+      findings: allFindings.sort((a, b) => {
+        const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, info: 4 }
+        return severityOrder[a.severity] - severityOrder[b.severity]
+      }),
+      summary,
+      scannedFiles: files.length,
+      scanDuration: Date.now() - startTime,
+    }
+  }
+
+  /**
+   * Add custom vulnerability patterns.
+   */
+  addPattern(pattern: VulnerabilityPattern): void {
+    this.patterns.push(pattern)
+  }
+
+  /**
+   * Get all available patterns.
+   */
+  getPatterns(): VulnerabilityPattern[] {
+    return [...this.patterns]
+  }
+}

package/src/utils/fs.ts

@@ -276,7 +276,7 @@ function inferContextFileType(filePath: string): ContextFileType {
 }
 
 /** Recognised project language */
-export type ProjectLanguage = 'typescript' | 'javascript' | 'python' | 'go' | 'rust' | 'java' | 'swift' | 'ruby' | 'php' | 'csharp' | 'c' | 'cpp' | 'unknown'
+export type ProjectLanguage = 'typescript' | 'javascript' | 'python' | 'go' | 'rust' | 'java' | 'swift' | 'ruby' | 'php' | 'csharp' | 'c' | 'cpp' | 'unknown' | 'polyglot'
 
 /** Auto-detect the project's primary language from manifest files */
 export async function detectProjectLanguage(projectRoot: string): Promise<ProjectLanguage> {
@@ -310,24 +310,28 @@ export function getDiscoveryPatterns(language: ProjectLanguage): { patterns: str
     ]
 
     const toPatterns = (lang: ProjectLanguage): string[] => {
-        return getDiscoveryExtensions(lang).map(ext => `**/*${ext}`)
+        if (lang === 'polyglot') {
+            // For polyglot, use LANGUAGE_EXTENSIONS.polyglot directly
+            return getDiscoveryExtensions('polyglot' as any).map(ext => `**/*${ext}`)
+        }
+        return getDiscoveryExtensions(lang as any).map(ext => `**/*${ext}`)
     }
 
     switch (language) {
         case 'typescript':
             return {
                 patterns: toPatterns(language),
-                ignore: [...commonIgnore, '**/node_modules/**', '**/dist/**', '**/.next/**', '**/.nuxt/**', '**/.svelte-kit/**', '**/*.d.ts', '**/*.test.{ts,js,tsx,jsx}', '**/*.spec.{ts,js,tsx,jsx}'],
+                ignore: [...commonIgnore, '**/node_modules/**', '**/dist/**', '**/.next/**', '**/.nuxt/**', '**/.svelte-kit/**', '**/*.d.ts', '**/*.test.{ts,js,tsx,jsx}', '**/*.spec.{ts,js,tsx,jsx}', '**/venv/**', '**/.venv/**'],
             }
         case 'javascript':
             return {
                 patterns: toPatterns(language),
-                ignore: [...commonIgnore, '**/node_modules/**', '**/dist/**', '**/.next/**', '**/*.d.ts', '**/*.test.{ts,js,tsx,jsx}', '**/*.spec.{ts,js,tsx,jsx}'],
+                ignore: [...commonIgnore, '**/node_modules/**', '**/dist/**', '**/.next/**', '**/*.d.ts', '**/*.test.{ts,js,tsx,jsx}', '**/*.spec.{ts,js,tsx,jsx}', '**/venv/**', '**/.venv/**'],
             }
         case 'python':
             return {
                 patterns: toPatterns(language),
-                ignore: [...commonIgnore, '**/__pycache__/**', '**/venv/**', '**/.venv/**', '**/.tox/**', '**/test_*.py', '**/*_test.py'],
+                ignore: [...commonIgnore, '**/__pycache__/**', '**/venv/**', '**/.venv/**', '**/.tox/**', '**/test_*.py', '**/*_test.py', '**/lib/site-packages/**'],
             }
         case 'go':
             return {
@@ -352,34 +356,47 @@ export function getDiscoveryPatterns(language: ProjectLanguage): { patterns: str
         case 'ruby':
             return {
                 patterns: toPatterns(language),
-                ignore: [...commonIgnore, '**/vendor/**', '**/*_spec.rb', '**/spec/**'],
+                ignore: [...commonIgnore, '**/vendor/**', '**/*.gemspec'],
             }
         case 'php':
             return {
                 patterns: toPatterns(language),
-                ignore: [...commonIgnore, '**/vendor/**', '**/*Test.php'],
+                ignore: [...commonIgnore, '**/vendor/**', '**/tests/**', '**/Test*.php'],
             }
         case 'csharp':
             return {
                 patterns: toPatterns(language),
-                ignore: [...commonIgnore, '**/bin/**', '**/obj/**'],
+                ignore: [...commonIgnore, '**/bin/**', '**/obj/**', '**/*Test.cs'],
             }
-        case 'cpp':
+        case 'c':
             return {
                 patterns: toPatterns(language),
-                ignore: [...commonIgnore, '**/build/**', '**/cmake-build-*/**'],
+                ignore: [...commonIgnore, '**/*.h'],
             }
-        case 'c':
+        case 'cpp':
             return {
                 patterns: toPatterns(language),
-                ignore: [...commonIgnore, '**/build/**'],
+                ignore: [...commonIgnore, '**/build/**', '**/*.hpp'],
             }
-        default:
-            // Fallback: discover JS/TS (most common)
+        case 'polyglot':
             return {
                 patterns: toPatterns(language),
-                ignore: [...commonIgnore, '**/node_modules/**', '**/dist/**', '**/*.d.ts'],
+                ignore: [
+                    ...commonIgnore,
+                    '**/node_modules/**', '**/dist/**', '**/.next/**', '**/.nuxt/**', '**/.svelte-kit/**',
+                    '**/__pycache__/**', '**/venv/**', '**/.venv/**', '**/.tox/**', '**/lib/site-packages/**',
+                    '**/vendor/**', '**/target/**', '**/.gradle/**', '**/.build/**', '**/bin/**', '**/obj/**',
+                    '**/*.d.ts', '**/*.test.{ts,js,tsx,jsx}', '**/*.spec.{ts,js,tsx,jsx}',
+                    '**/test_*.py', '**/*_test.py', '**/Test*.java', '**/*Test.java', '**/*Test.cs',
+                ],
             }
+        case 'unknown':
+            return {
+                patterns: ['**/*.{ts,tsx,js,jsx}'],
+                ignore: [...commonIgnore, '**/node_modules/**'],
+            }
+        default:
+            return { patterns: [], ignore: commonIgnore }
     }
 }
 
@@ -625,6 +642,20 @@ const LANGUAGE_IGNORE_TEMPLATES: Record<ProjectLanguage, string[]> = {
         '__tests__/',
         '',
     ],
+    polyglot: [
+        '# Multi-language project',
+        '**/node_modules/**',
+        '**/venv/**',
+        '**/.venv/**',
+        '**/__pycache__/**',
+        '**/site-packages/**',
+        '**/vendor/**',
+        '**/target/**',
+        '**/build/**',
+        '**/dist/**',
+        '**/.next/**',
+        '',
+    ],
 }
 
 /**

package/src/utils/language-registry.ts

@@ -14,6 +14,7 @@ export type RegistryLanguage =
     | 'csharp'
     | 'c'
     | 'cpp'
+    | 'polyglot'
     | 'unknown'
 
 const OXC_EXTENSIONS = ['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs'] as const
@@ -44,6 +45,18 @@ const LANGUAGE_EXTENSIONS: Record<RegistryLanguage, readonly string[]> = {
     csharp: ['.cs'],
     c: ['.c', '.h'],
     cpp: ['.cpp', '.cc', '.cxx', '.hpp', '.hxx', '.hh', '.h'],
+    polyglot: [
+        '.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs',
+        '.py',
+        '.go',
+        '.rs',
+        '.java', '.kt', '.kts',
+        '.swift',
+        '.rb',
+        '.php',
+        '.cs',
+        '.c', '.h', '.cpp', '.cc', '.cxx', '.hpp', '.hxx', '.hh',
+    ],
     unknown: ['.ts', '.tsx', '.js', '.jsx'],
 }
 

package/src/utils/minimatch.ts

@@ -4,7 +4,7 @@
  * Rules:
  *   - Pattern with no glob chars (*, ?, {, [) → directory prefix match
  *     "src/auth" matches "src/auth/jwt.ts" and "src/auth" itself
- *   - "**" matches any depth
+ *   - "**" matches any depth (zero or more directory segments)
  *   - "*"  matches within a single directory segment
  */
 export function minimatch(filePath: string, pattern: string): boolean {
@@ -17,12 +17,55 @@ export function minimatch(filePath: string, pattern: string): boolean {
     return normalizedPath === bare || normalizedPath.startsWith(bare + '/')
   }
 
-  // Convert glob to regex
-  const regexStr = normalizedPattern
+  // Handle patterns that start with ** - these should match anywhere in the path
+  // e.g., **/venv/** should match if there's a /venv/ segment anywhere
+  if (normalizedPattern.startsWith('**/')) {
+    const rest = normalizedPattern.slice(3) // Remove **/
+    // Check if the rest of the pattern appears as a path segment
+    // For **/venv/**, check if /venv/ is in the path
+    // For **/node_modules/**, check if /node_modules/ is in the path
+    const segments = normalizedPath.split('/')
+    const patternSegments = rest.split('/').filter(Boolean)
+    
+    // Check if pattern segments appear consecutively in path
+    for (let i = 0; i <= segments.length - patternSegments.length; i++) {
+      let match = true
+      for (let j = 0; j < patternSegments.length; j++) {
+        const pseg = patternSegments[j].replace(/\*/g, '[^/]*')
+        if (!new RegExp('^' + pseg + '$', 'i').test(segments[i + j])) {
+          match = false
+          break
+        }
+      }
+      if (match) return true
+    }
+    return false
+  }
+
+  // Convert glob to regex (for patterns not starting with **)
+  let regexStr = normalizedPattern
+    .replace(/\[/g, '\\[')
+    .replace(/\]/g, '\\]')
     .replace(/\./g, '\\.')
-    .replace(/\*\*\//g, '(?:.+/)?')
-    .replace(/\*\*/g, '.*')
-    .replace(/\*/g, '[^/]*')
+  
+  // Replace **/ at end with (?:[^/]+/)* - matches zero or more dir segments ending with /
+  // But we need to handle path/** specifically - matching path/file, path/dir/file, etc.
+  
+  // Handle trailing /** specifically - should match path itself and anything under it
+  if (normalizedPattern.endsWith('/**')) {
+    const base = normalizedPattern.slice(0, -3) // Remove /**
+    // Match either exact base or base + anything
+    return normalizedPath === base || normalizedPath.startsWith(base + '/')
+  }
+  
+  // Replace **/ with (?:[^/]+/)* - matches zero or more directory segments
+  regexStr = regexStr.replace(/\*\*\//g, '(?:[^/]+/)*')
+  // Replace trailing ** with (?:[^/]+/)*[^/]+ - matches zero or more at end  
+  regexStr = regexStr.replace(/\*\*$/g, '(?:[^/]+/)*[^/]+')
+  // Standalone **
+  regexStr = regexStr.replace(/\*\*/g, '(?:[^/]+/)*[^/]+')
+  // Single * matches any characters except slash
+  regexStr = regexStr.replace(/\*/g, '[^/]*')
 
   return new RegExp(`^${regexStr}$`, 'i').test(normalizedPath)
 }