@getmikk/core 2.0.13 → 2.0.15

package/src/security/scanner.ts

@@ -0,0 +1,342 @@
+// ---------------------------------------------------------------------------
+// Security Vulnerability Scanning — foundation for detecting common patterns
+// ---------------------------------------------------------------------------
+
+export interface SecurityFinding {
+  id: string
+  severity: 'critical' | 'high' | 'medium' | 'low' | 'info'
+  category: string
+  title: string
+  description: string
+  file: string
+  line: number
+  column?: number
+  code: string
+  suggestion?: string
+  cwe?: string
+  cve?: string
+}
+
+export interface SecurityReport {
+  findings: SecurityFinding[]
+  summary: {
+    total: number
+    critical: number
+    high: number
+    medium: number
+    low: number
+    info: number
+  }
+  scannedFiles: number
+  scanDuration: number
+}
+
+// ---------------------------------------------------------------------------
+// Pattern definitions for common vulnerability categories
+// ---------------------------------------------------------------------------
+
+interface VulnerabilityPattern {
+  id: string
+  severity: SecurityFinding['severity']
+  category: string
+  title: string
+  description: string
+  regex: RegExp
+  suggestion?: string
+  cwe?: string
+  languages?: string[]
+}
+
+const VULNERABILITY_PATTERNS: VulnerabilityPattern[] = [
+  // SQL Injection
+  {
+    id: 'sql-injection',
+    severity: 'critical',
+    category: 'injection',
+    title: 'Potential SQL Injection',
+    description: 'String concatenation in SQL query detected. Use parameterized queries instead.',
+    regex: /(?:execute|query|cursor\.execute)\s*\(\s*["'].*(?:\+|\$\{)/,
+    suggestion: 'Use parameterized queries: cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))',
+    cwe: 'CWE-89',
+    languages: ['python', 'javascript', 'typescript'],
+  },
+  {
+    id: 'sql-injection-fstring',
+    severity: 'critical',
+    category: 'injection',
+    title: 'SQL Injection via f-string',
+    description: 'f-string used in SQL query. Use parameterized queries.',
+    regex: /(?:execute|query)\s*\(\s*f["']/,
+    suggestion: 'Use parameterized queries instead of f-strings in SQL.',
+    cwe: 'CWE-89',
+    languages: ['python'],
+  },
+
+  // Command Injection
+  {
+    id: 'command-injection',
+    severity: 'critical',
+    category: 'injection',
+    title: 'Potential Command Injection',
+    description: 'User input may be passed to shell command. Use subprocess with list args instead.',
+    regex: /(?:os\.system|subprocess\.call|subprocess\.Popen|exec|eval)\s*\(\s*(?:.*\+|.*\$\{)/,
+    suggestion: 'Use subprocess.run() with a list of arguments instead of shell=True.',
+    cwe: 'CWE-78',
+    languages: ['python'],
+  },
+  {
+    id: 'eval-usage',
+    severity: 'high',
+    category: 'injection',
+    title: 'Use of eval()',
+    description: 'eval() can execute arbitrary code. Use ast.literal_eval() for safe parsing.',
+    regex: /\beval\s*\(/,
+    suggestion: 'Use ast.literal_eval() for parsing Python literals, or json.loads() for JSON.',
+    cwe: 'CWE-95',
+    languages: ['python', 'javascript', 'typescript'],
+  },
+
+  // Hardcoded Secrets
+  {
+    id: 'hardcoded-password',
+    severity: 'high',
+    category: 'secrets',
+    title: 'Hardcoded Password',
+    description: 'Password appears to be hardcoded in source code.',
+    regex: /(?:password|passwd|pwd)\s*[:=]\s*["'][^"']{3,}["']/i,
+    suggestion: 'Use environment variables or a secrets manager.',
+    cwe: 'CWE-798',
+  },
+  {
+    id: 'hardcoded-api-key',
+    severity: 'high',
+    category: 'secrets',
+    title: 'Hardcoded API Key',
+    description: 'API key or token appears to be hardcoded.',
+    regex: /(?:api[_-]?key|api[_-]?secret|access[_-]?token|auth[_-]?token)\s*[:=]\s*["'][A-Za-z0-9_-]{8,}["']/i,
+    suggestion: 'Use environment variables or a secrets manager.',
+    cwe: 'CWE-798',
+  },
+  {
+    id: 'aws-key',
+    severity: 'critical',
+    category: 'secrets',
+    title: 'AWS Access Key',
+    description: 'AWS access key pattern detected.',
+    regex: /AKIA[0-9A-Z]{16}/,
+    suggestion: 'Remove AWS credentials from source code. Use IAM roles or environment variables.',
+    cwe: 'CWE-798',
+  },
+  {
+    id: 'private-key',
+    severity: 'critical',
+    category: 'secrets',
+    title: 'Private Key',
+    description: 'Private key content detected in source code.',
+    regex: /-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----/,
+    suggestion: 'Never embed private keys in source code. Use a secrets manager.',
+    cwe: 'CWE-798',
+  },
+
+  // XSS
+  {
+    id: 'xss-innerhtml',
+    severity: 'high',
+    category: 'xss',
+    title: 'Potential XSS via innerHTML',
+    description: 'Setting innerHTML with dynamic content can lead to XSS.',
+    regex: /\.innerHTML\s*=\s*(?!["']\s*;?\s*$)/,
+    suggestion: 'Use textContent or sanitize HTML with DOMPurify.',
+    cwe: 'CWE-79',
+    languages: ['javascript', 'typescript'],
+  },
+  {
+    id: 'xss-dangerouslySetInnerHTML',
+    severity: 'high',
+    category: 'xss',
+    title: 'Potential XSS via dangerouslySetInnerHTML',
+    description: 'dangerouslySetInnerHTML with dynamic content can lead to XSS.',
+    regex: /dangerouslySetInnerHTML\s*=\s*\{\{?\s*__html\s*:/,
+    suggestion: 'Sanitize HTML content with DOMPurify before using dangerouslySetInnerHTML.',
+    cwe: 'CWE-79',
+    languages: ['javascript', 'typescript'],
+  },
+
+  // Insecure Random
+  {
+    id: 'insecure-random',
+    severity: 'medium',
+    category: 'crypto',
+    title: 'Insecure Random Number Generator',
+    description: 'Math.random() is not cryptographically secure.',
+    regex: /Math\.random\s*\(\)/,
+    suggestion: 'Use crypto.getRandomValues() for security-sensitive operations.',
+    cwe: 'CWE-330',
+    languages: ['javascript', 'typescript'],
+  },
+
+  // Path Traversal
+  {
+    id: 'path-traversal',
+    severity: 'high',
+    category: 'path-traversal',
+    title: 'Potential Path Traversal',
+    description: 'User input used in file path without sanitization.',
+    regex: /(?:readFile|readFileSync|open|writeFile|writeFileSync)\s*\(\s*(?:.*\+|.*\$\{)/,
+    suggestion: 'Validate and sanitize file paths. Use path.resolve() with a whitelist.',
+    cwe: 'CWE-22',
+    languages: ['javascript', 'typescript', 'python'],
+  },
+
+  // Weak Cryptography
+  {
+    id: 'weak-hash-md5',
+    severity: 'medium',
+    category: 'crypto',
+    title: 'Weak Hashing Algorithm (MD5)',
+    description: 'MD5 is cryptographically broken. Use SHA-256 or better.',
+    regex: /(?:md5|MD5|hashlib\.md5)/,
+    suggestion: 'Use SHA-256 or SHA-3 for cryptographic hashing.',
+    cwe: 'CWE-328',
+  },
+  {
+    id: 'weak-hash-sha1',
+    severity: 'medium',
+    category: 'crypto',
+    title: 'Weak Hashing Algorithm (SHA-1)',
+    description: 'SHA-1 is deprecated for cryptographic use. Use SHA-256 or better.',
+    regex: /(?:sha1|SHA1|hashlib\.sha1)/,
+    suggestion: 'Use SHA-256 or SHA-3 for cryptographic hashing.',
+    cwe: 'CWE-328',
+  },
+
+  // Debug/Console in Production
+  {
+    id: 'console-log',
+    severity: 'info',
+    category: 'best-practice',
+    title: 'Console Log Statement',
+    description: 'Console.log statements should be removed before production.',
+    regex: /console\.(log|debug|info|warn)\s*\(/,
+    suggestion: 'Use a proper logging framework and remove debug statements.',
+    languages: ['javascript', 'typescript'],
+  },
+  {
+    id: 'print-debug',
+    severity: 'info',
+    category: 'best-practice',
+    title: 'Print Debug Statement',
+    description: 'Print statements should be removed before production.',
+    regex: /print\s*\(\s*["'][^"']*["']\s*\)/,
+    suggestion: 'Use the logging module instead of print statements.',
+    languages: ['python'],
+  },
+
+  // TODO/FIXME/HACK
+  {
+    id: 'todo-comment',
+    severity: 'info',
+    category: 'best-practice',
+    title: 'TODO Comment',
+    description: 'TODO comment found. Consider addressing this.',
+    regex: /\/\/\s*TODO|\/\*\s*TODO|#\s*TODO/i,
+    languages: ['javascript', 'typescript', 'python', 'go', 'java', 'rust'],
+  },
+]
+
+// ---------------------------------------------------------------------------
+// Scanner
+// ---------------------------------------------------------------------------
+
+export class SecurityScanner {
+  private patterns: VulnerabilityPattern[]
+
+  constructor(customPatterns?: VulnerabilityPattern[]) {
+    this.patterns = customPatterns ?? VULNERABILITY_PATTERNS
+  }
+
+  /**
+   * Scan a single file's content for security issues.
+   */
+  scanFile(filePath: string, content: string, language?: string): SecurityFinding[] {
+    const findings: SecurityFinding[] = []
+    const lines = content.split('\n')
+
+    for (const pattern of this.patterns) {
+      // Skip if language filter doesn't match
+      if (pattern.languages && language && !pattern.languages.includes(language)) {
+        continue
+      }
+
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i]
+        const match = line.match(pattern.regex)
+        if (match) {
+          findings.push({
+            id: `${pattern.id}-${filePath}:${i + 1}`,
+            severity: pattern.severity,
+            category: pattern.category,
+            title: pattern.title,
+            description: pattern.description,
+            file: filePath,
+            line: i + 1,
+            column: match.index,
+            code: line.trim(),
+            suggestion: pattern.suggestion,
+            cwe: pattern.cwe,
+          })
+        }
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Scan multiple files.
+   */
+  scanFiles(
+    files: Array<{ path: string; content: string; language?: string }>
+  ): SecurityReport {
+    const startTime = Date.now()
+    const allFindings: SecurityFinding[] = []
+
+    for (const file of files) {
+      const findings = this.scanFile(file.path, file.content, file.language)
+      allFindings.push(...findings)
+    }
+
+    const summary = {
+      total: allFindings.length,
+      critical: allFindings.filter(f => f.severity === 'critical').length,
+      high: allFindings.filter(f => f.severity === 'high').length,
+      medium: allFindings.filter(f => f.severity === 'medium').length,
+      low: allFindings.filter(f => f.severity === 'low').length,
+      info: allFindings.filter(f => f.severity === 'info').length,
+    }
+
+    return {
+      findings: allFindings.sort((a, b) => {
+        const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, info: 4 }
+        return severityOrder[a.severity] - severityOrder[b.severity]
+      }),
+      summary,
+      scannedFiles: files.length,
+      scanDuration: Date.now() - startTime,
+    }
+  }
+
+  /**
+   * Add custom vulnerability patterns.
+   */
+  addPattern(pattern: VulnerabilityPattern): void {
+    this.patterns.push(pattern)
+  }
+
+  /**
+   * Get all available patterns.
+   */
+  getPatterns(): VulnerabilityPattern[] {
+    return [...this.patterns]
+  }
+}

package/src/utils/artifact-transaction.ts

@@ -1,3 +1,4 @@
+/* eslint-disable @typescript-eslint/no-explicit-any */
 import * as fs from 'node:fs/promises'
 import * as path from 'node:path'
 import { randomUUID } from 'node:crypto'

package/src/utils/atomic-write.ts

@@ -1,3 +1,4 @@
+/* eslint-disable @typescript-eslint/no-explicit-any */
 import * as fs from 'node:fs/promises'
 import * as path from 'node:path'
 import { randomUUID } from 'node:crypto'

package/src/utils/errors.ts

@@ -2,12 +2,25 @@ export class MikkError extends Error {
     constructor(message: string, public code: string) {
         super(message)
         this.name = 'MikkError'
+        Error.captureStackTrace?.(this, this.constructor)
+    }
+
+    toJSON() {
+        return {
+            name: this.name,
+            message: this.message,
+            code: this.code,
+            stack: this.stack,
+        }
     }
 }
 
 export class ParseError extends MikkError {
-    constructor(file: string, cause: string) {
-        super(`Failed to parse ${file}: ${cause}`, 'PARSE_ERROR')
+    constructor(file: string, cause: string | Error) {
+        const message = cause instanceof Error 
+            ? `Failed to parse ${file}: ${cause.message}` 
+            : `Failed to parse ${file}: ${cause}`
+        super(message, 'PARSE_ERROR')
     }
 }
 
@@ -18,8 +31,11 @@ export class ContractNotFoundError extends MikkError {
 }
 
 export class LockNotFoundError extends MikkError {
-    constructor() {
-        super(`No mikk.lock.json found. Run 'mikk analyze' first.`, 'LOCK_NOT_FOUND')
+    constructor(path?: string) {
+        const msg = path 
+            ? `No mikk.lock.json found at ${path}. Run 'mikk analyze' first.` 
+            : `No mikk.lock.json found. Run 'mikk analyze' first.`
+        super(msg, 'LOCK_NOT_FOUND')
     }
 }
 
@@ -40,3 +56,72 @@ export class SyncStateError extends MikkError {
         super(`Mikk is in ${status} state. Run 'mikk analyze' to sync.`, 'SYNC_STATE_ERROR')
     }
 }
+
+export class EmbeddingError extends MikkError {
+    constructor(message: string, cause?: Error) {
+        const fullMessage = cause 
+            ? `${message}: ${cause.message}` 
+            : message
+        super(fullMessage, 'EMBEDDING_ERROR')
+    }
+}
+
+export class SearchError extends MikkError {
+    constructor(message: string, cause?: Error) {
+        const fullMessage = cause 
+            ? `${message}: ${cause.message}` 
+            : message
+        super(fullMessage, 'SEARCH_ERROR')
+    }
+}
+
+export class ValidationError extends MikkError {
+    constructor(message: string) {
+        super(message, 'VALIDATION_ERROR')
+    }
+}
+
+export class ConfigurationError extends MikkError {
+    constructor(message: string) {
+        super(message, 'CONFIGURATION_ERROR')
+    }
+}
+
+export class TimeoutError extends MikkError {
+    constructor(operation: string, timeoutMs: number) {
+        super(`Operation '${operation}' timed out after ${timeoutMs}ms`, 'TIMEOUT')
+    }
+}
+
+export class CacheError extends MikkError {
+    constructor(message: string, cause?: Error) {
+        const fullMessage = cause 
+            ? `Cache error: ${message}: ${cause.message}` 
+            : `Cache error: ${message}`
+        super(fullMessage, 'CACHE_ERROR')
+    }
+}
+
+export function isMikkError(error: unknown): error is MikkError {
+    return error instanceof MikkError
+}
+
+export function getErrorCode(error: unknown): string {
+    if (error instanceof MikkError) {
+        return error.code
+    }
+    if (error instanceof Error) {
+        return error.name.toUpperCase().replace(/\s+/g, '_')
+    }
+    return 'UNKNOWN'
+}
+
+export function formatError(error: unknown): string {
+    if (isMikkError(error)) {
+        return `[${error.code}] ${error.message}`
+    }
+    if (error instanceof Error) {
+        return `${error.name}: ${error.message}`
+    }
+    return String(error)
+}