@hawon/nexus 0.1.0 → 0.3.0

package/src/review/analyzer.test.ts

@@ -0,0 +1,279 @@
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+import { reviewCode } from "./analyzer.js";
+
+// ═══════════════════════════════════════════════════════════════════
+// Security detections
+// ═══════════════════════════════════════════════════════════════════
+
+describe("detects hardcoded secrets", () => {
+  it("detects API key", () => {
+    const code = `const API_KEY = "sk-abc123def456ghi789jkl012mno345pqr678";`;
+    const result = reviewCode(code, "test.ts");
+    assert.ok(
+      result.findings.some((f) => f.category === "security" && /secret|key|token/i.test(f.message)),
+      "Expected security finding for API key",
+    );
+  });
+
+  it("detects hardcoded password", () => {
+    const code = `const password = "SuperS3cretP@ss!";`;
+    const result = reviewCode(code, "config.ts");
+    assert.ok(
+      result.findings.some((f) => f.category === "security" && /password/i.test(f.message)),
+      "Expected security finding for hardcoded password",
+    );
+  });
+
+  it("detects AWS access key", () => {
+    const code = `const awsKey = "AKIAIOSFODNN7EXAMPLE";`;
+    const result = reviewCode(code, "aws.ts");
+    assert.ok(
+      result.findings.some((f) => f.category === "security" && /aws/i.test(f.message)),
+      "Expected security finding for AWS key",
+    );
+  });
+
+  it("detects GitHub PAT", () => {
+    const code = `const token = "ghp_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghij";`;
+    const result = reviewCode(code, "gh.ts");
+    assert.ok(
+      result.findings.some((f) => f.category === "security"),
+      "Expected security finding for GitHub PAT",
+    );
+  });
+});
+
+describe("detects SQL injection", () => {
+  it("template literal in exec", () => {
+    const code = 'db.exec(`DELETE FROM sessions WHERE user = ${userName}`);';
+    const result = reviewCode(code, "db.ts");
+    assert.ok(
+      result.findings.some((f) => f.category === "security" && /sql/i.test(f.message)),
+      "Expected SQL injection finding for exec template literal",
+    );
+  });
+
+  it("template literal in query", () => {
+    const code = 'db.execute(`SELECT * FROM users WHERE name = ${userName}`);';
+    const result = reviewCode(code, "db.ts");
+    assert.ok(
+      result.findings.some((f) => f.category === "security" && /sql/i.test(f.message)),
+      "Expected SQL injection finding for template literal",
+    );
+  });
+});
+
+describe("detects eval", () => {
+  it("eval() usage", () => {
+    const code = `const result = eval(userInput);`;
+    const result = reviewCode(code, "exec.ts");
+    assert.ok(
+      result.findings.some((f) => f.category === "security" && /eval|code injection/i.test(f.message)),
+      "Expected eval finding",
+    );
+  });
+
+  it("Function() constructor", () => {
+    const code = `const fn = new Function("return " + expr);`;
+    const result = reviewCode(code, "exec.ts");
+    assert.ok(
+      result.findings.some((f) => f.category === "security" && /eval|Function|code injection/i.test(f.message)),
+      "Expected Function constructor finding",
+    );
+  });
+});
+
+// ═══════════════════════════════════════════════════════════════════
+// Bug detections
+// ═══════════════════════════════════════════════════════════════════
+
+describe("detects empty catch", () => {
+  it("catch(e) {} is flagged", () => {
+    const code = `
+try {
+  doSomething();
+} catch(e) {}
+`;
+    const result = reviewCode(code, "handler.ts");
+    assert.ok(
+      result.findings.some((f) => f.category === "error_handling" && /empty catch/i.test(f.message)),
+      "Expected empty catch finding",
+    );
+  });
+});
+
+describe("detects TODO comments", () => {
+  it("TODO is flagged", () => {
+    const code = `
+function process() {
+  // TODO fix this before release
+  return null;
+}
+`;
+    const result = reviewCode(code, "process.ts");
+    assert.ok(
+      result.findings.some((f) => /TODO/i.test(f.message)),
+      "Expected TODO finding",
+    );
+  });
+
+  it("FIXME is flagged", () => {
+    const code = `
+// FIXME: memory leak here
+setInterval(() => {}, 1000);
+`;
+    const result = reviewCode(code, "timer.ts");
+    assert.ok(
+      result.findings.some((f) => /FIXME/i.test(f.message)),
+      "Expected FIXME finding",
+    );
+  });
+});
+
+// ═══════════════════════════════════════════════════════════════════
+// Clean code passes
+// ═══════════════════════════════════════════════════════════════════
+
+describe("clean code", () => {
+  it("well-written code gets high score", () => {
+    const code = `
+import { readFile } from "node:fs/promises";
+
+interface Config {
+  port: number;
+  host: string;
+}
+
+async function loadConfig(path: string): Promise<Config> {
+  const raw = await readFile(path, "utf-8");
+  return JSON.parse(raw) as Config;
+}
+
+export { loadConfig };
+`;
+    const result = reviewCode(code, "config.ts");
+    assert.ok(result.score >= 80, `Expected score >= 80 for clean code, got ${result.score}`);
+  });
+
+  it("returns summary string", () => {
+    const result = reviewCode("const x = 1;", "simple.ts");
+    assert.ok(typeof result.summary === "string");
+    assert.ok(result.summary.length > 0);
+  });
+});
+
+// ═══════════════════════════════════════════════════════════════════
+// Scoring
+// ═══════════════════════════════════════════════════════════════════
+
+describe("scoring", () => {
+  it("score is between 0 and 100", () => {
+    const badCode = `
+const api_key = "sk-abcdefghijklmnopqrstuvwxyz123456";
+eval(userInput);
+db.query("SELECT * FROM users WHERE id = " + id);
+try { x(); } catch(e) {}
+// TODO fix everything
+console.log("debug");
+`;
+    const result = reviewCode(badCode, "bad.ts");
+    assert.ok(result.score >= 0, `Score should be >= 0, got ${result.score}`);
+    assert.ok(result.score <= 100, `Score should be <= 100, got ${result.score}`);
+  });
+
+  it("more issues = lower score (diminishing returns)", () => {
+    const oneIssue = `const password = "hunter2abc1234";`;
+    const manyIssues = `
+const password = "hunter2abc1234";
+const api_key = "sk-abcdefghijklmnopqrstuvwxyz123456";
+eval(userInput);
+db.query("SELECT * FROM users WHERE id = " + id);
+try { x(); } catch(e) {}
+`;
+    const r1 = reviewCode(oneIssue, "a.ts");
+    const r2 = reviewCode(manyIssues, "b.ts");
+    assert.ok(r1.score > r2.score, `One issue (${r1.score}) should score higher than many (${r2.score})`);
+  });
+
+  it("durationMs is reported", () => {
+    const result = reviewCode("const x = 1;", "test.ts");
+    assert.ok(typeof result.durationMs === "number");
+    assert.ok(result.durationMs >= 0);
+  });
+});
+
+// ═══════════════════════════════════════════════════════════════════
+// Filtering options
+// ═══════════════════════════════════════════════════════════════════
+
+describe("review options", () => {
+  const messyCode = `
+const api_key = "sk-abcdefghijklmnopqrstuvwxyz123456";
+eval(userInput);
+// TODO fix this
+console.log("debug");
+try { x(); } catch(e) {}
+`;
+
+  it("minSeverity filters lower severity findings", () => {
+    const all = reviewCode(messyCode, "test.ts");
+    const criticalOnly = reviewCode(messyCode, "test.ts", { minSeverity: "critical" });
+    assert.ok(criticalOnly.findings.length <= all.findings.length);
+    assert.ok(criticalOnly.findings.every((f) => f.severity === "critical"));
+  });
+
+  it("categories filter limits to specific categories", () => {
+    const secOnly = reviewCode(messyCode, "test.ts", { categories: ["security"] });
+    assert.ok(secOnly.findings.every((f) => f.category === "security"));
+  });
+
+  it("maxFindings limits result count", () => {
+    const result = reviewCode(messyCode, "test.ts", { maxFindings: 2 });
+    assert.ok(result.findings.length <= 2);
+  });
+});
+
+// ═══════════════════════════════════════════════════════════════════
+// AI slop detection
+// ═══════════════════════════════════════════════════════════════════
+
+describe("AI slop detection", () => {
+  it("detects obvious comments", () => {
+    const code = `
+// increment counter by 1
+counter++;
+// set name to empty string
+let name = "";
+`;
+    const result = reviewCode(code, "slop.ts");
+    assert.ok(
+      result.findings.some((f) => f.category === "ai_slop" && /comment/i.test(f.message)),
+      "Expected AI slop comment detection",
+    );
+  });
+
+  it("detects unnecessary type assertions", () => {
+    const code = `const data = response as any;`;
+    const result = reviewCode(code, "cast.ts");
+    assert.ok(
+      result.findings.some((f) => f.category === "ai_slop" && /type assertion/i.test(f.message)),
+      "Expected type assertion finding",
+    );
+  });
+});
+
+// ═══════════════════════════════════════════════════════════════════
+// Performance detection
+// ═══════════════════════════════════════════════════════════════════
+
+describe("performance detection", () => {
+  it("detects innerHTML assignment", () => {
+    const code = `element.innerHTML = userInput;`;
+    const result = reviewCode(code, "dom.ts");
+    assert.ok(
+      result.findings.some((f) => f.category === "security" && /innerHTML|XSS/i.test(f.message)),
+      "Expected innerHTML/XSS finding",
+    );
+  });
+});

package/src/review/analyzer.ts

@@ -20,12 +20,13 @@ const SEVERITY_PENALTY: Record<ReviewSeverity, number> = {
   info: 1,
 };
 
-let findingCounter = 0;
-
-function nextId(): string {
-  return `R${String(++findingCounter).padStart(4, "0")}`;
+function createIdGenerator(): () => string {
+  let counter = 0;
+  return () => `R${String(++counter).padStart(4, "0")}`;
 }
 
+let nextId = createIdGenerator();
+
 function finding(
   file: string,
   line: number,
@@ -61,14 +62,16 @@ function detectConsoleStatements(
   const re = /\bconsole\.(log|error|warn|debug|info|trace)\s*\(/;
   for (let i = 0; i < lines.length; i++) {
     const line = lines[i];
-    if (re.test(line) && !line.trimStart().startsWith("//")) {
+    const match = line.match(re);
+    if (match && !line.trimStart().startsWith("//")) {
+      const method = match[1];
       results.push(
         finding(
           file,
           i + 1,
           "warning",
           "bug",
-          "Console statement left in code",
+          `console.${method} statement left in code`,
           line.trim(),
           "Remove or replace with a proper logger",
         ),
@@ -462,10 +465,31 @@ function detectSqlInjection(
   file: string,
   results: ReviewFinding[],
 ): void {
-  const re =
-    /(?:query|execute|exec|raw)\s*\(\s*(?:["'`].*?\b(?:SELECT|INSERT|UPDATE|DELETE|DROP)\b.*?\$\{|["'`]\s*\+\s*\w+)/i;
+  const sqlKeyword = /\b(?:SELECT|INSERT\s+INTO|UPDATE|DELETE\s+FROM|DROP)\b/i;
+
+  // String concatenation: line has a string literal + variable (handles mixed quotes)
+  const stringConcat = /["'`]\s*\+|\+\s*["'`]/;
+
+  // Template literal interpolation with SQL keyword
+  const templateRe =
+    /`[^`]*\b(?:SELECT|INSERT\s+INTO|UPDATE|DELETE\s+FROM|DROP)\b[^`]*\$\{/i;
+
+  // Parameterized query (safe — do not flag)
+  const parameterized = /\?\s*[,)\]]|\$\d+/;
+
   for (let i = 0; i < lines.length; i++) {
-    if (re.test(lines[i])) {
+    const line = lines[i];
+    if (line.trimStart().startsWith("//")) continue;
+
+    const hasSqlKeyword = sqlKeyword.test(line);
+    const hasConcatenation = stringConcat.test(line);
+    const hasTemplateInterp = templateRe.test(line);
+    const isSafe = parameterized.test(line);
+
+    if (
+      !isSafe &&
+      (hasTemplateInterp || (hasSqlKeyword && hasConcatenation))
+    ) {
       results.push(
         finding(
           file,
@@ -473,7 +497,7 @@ function detectSqlInjection(
           "critical",
           "security",
           "SQL string concatenation / template literal — potential SQL injection",
-          lines[i].trim().substring(0, 120),
+          line.trim().substring(0, 120),
           "Use parameterized queries or prepared statements",
         ),
       );
@@ -634,39 +658,99 @@ function detectUnusedImports(
   file: string,
   results: ReviewFinding[],
 ): void {
-  const importRe = /import\s+(?:type\s+)?(?:\{([^}]+)\}|(\w+))/;
-  const bodyText = lines.join("\n");
+  // Collect all import statements, handling multi-line imports.
+  const imports: {
+    startLine: number;
+    endLine: number;
+    names: string[];
+  }[] = [];
 
   for (let i = 0; i < lines.length; i++) {
-    const match = lines[i].match(importRe);
-    if (!match) continue;
+    const line = lines[i];
+
+    // Check if this line starts an import statement
+    if (!/^\s*import\s+/.test(line)) continue;
+
+    // Accumulate the full import statement (may span multiple lines)
+    let fullStatement = line;
+    let endLine = i;
+    while (
+      endLine < lines.length - 1 &&
+      !/\bfrom\s+["'`]/.test(fullStatement)
+    ) {
+      endLine++;
+      fullStatement += "\n" + lines[endLine];
+    }
+
+    // Skip `import type { ... } from` and `import type X from` (compile-time only)
+    if (/^\s*import\s+type\s+[\w{]/.test(fullStatement)) {
+      i = endLine;
+      continue;
+    }
+    // Skip bare side-effect imports: `import "module"`
+    if (/^\s*import\s+["'`]/.test(fullStatement)) {
+      i = endLine;
+      continue;
+    }
 
     const names: string[] = [];
-    if (match[1]) {
-      // Named imports: { A, B as C }
-      for (const part of match[1].split(",")) {
-        const token = part.trim().split(/\s+as\s+/);
+
+    // Extract default import: `import foo from` or `import foo, { ... } from`
+    const defaultMatch = fullStatement.match(
+      /import\s+(\w+)\s*(?:,|\s+from\b)/,
+    );
+    if (defaultMatch && defaultMatch[1] !== "type") {
+      names.push(defaultMatch[1]);
+    }
+
+    // Extract named imports: `{ a, b as c, d }`
+    const namedMatch = fullStatement.match(/\{([^}]+)\}/);
+    if (namedMatch) {
+      for (const part of namedMatch[1].split(",")) {
+        const trimmed = part.trim();
+        if (!trimmed) continue;
+        // Skip inline `type Foo` inside `import { type Foo, bar } from "..."`
+        if (/^type\s+/.test(trimmed)) continue;
+        const token = trimmed.split(/\s+as\s+/);
         const local = (token[1] ?? token[0]).trim();
         if (local) names.push(local);
       }
-    } else if (match[2]) {
-      names.push(match[2]);
     }
 
-    for (const name of names) {
-      if (!name || name === "type") continue;
-      // Check occurrences in the rest of the file (excluding the import line itself)
-      const rest = lines.filter((_, idx) => idx !== i).join("\n");
+    // Extract namespace import: `import * as ns from "..."`
+    const nsMatch = fullStatement.match(/import\s+\*\s+as\s+(\w+)/);
+    if (nsMatch) {
+      names.push(nsMatch[1]);
+    }
+
+    if (names.length > 0) {
+      imports.push({ startLine: i, endLine, names });
+    }
+
+    // Advance past multi-line import
+    i = endLine;
+  }
+
+  // Check each imported name for usage in the rest of the file
+  for (const imp of imports) {
+    const importLineSet = new Set<number>();
+    for (let l = imp.startLine; l <= imp.endLine; l++) {
+      importLineSet.add(l);
+    }
+    const rest = lines.filter((_, idx) => !importLineSet.has(idx)).join("\n");
+
+    for (const name of imp.names) {
+      if (!name) continue;
       const usage = new RegExp(`\\b${escapeRegex(name)}\\b`);
       if (!usage.test(rest)) {
         results.push(
           finding(
             file,
-            i + 1,
+            imp.startLine + 1,
             "info",
             "dead_code",
-            `Import '${name}' appears unused`,
-            lines[i].trim(),
+            `Unused import '${name}'`,
+            lines[imp.startLine].trim(),
             "Remove the unused import",
           ),
         );
@@ -817,7 +901,7 @@ export function reviewCode(
   options: ReviewOptions = {},
 ): ReviewResult {
   const start = performance.now();
-  findingCounter = 0;
+  nextId = createIdGenerator();
 
   const lines = code.split("\n");
   const findings: ReviewFinding[] = [];

package/src/shared/stop-words.ts

@@ -0,0 +1,21 @@
+export const STOP_WORDS = new Set([
+  // English
+  "the", "a", "an", "is", "are", "was", "were", "be", "been", "being",
+  "have", "has", "had", "do", "does", "did", "will", "would", "could",
+  "should", "may", "might", "shall", "can", "need", "must",
+  "i", "me", "my", "we", "our", "you", "your", "he", "she", "it",
+  "they", "them", "his", "her", "its", "this", "that", "these", "those",
+  "what", "which", "who", "whom", "how", "when", "where", "why",
+  "and", "but", "or", "nor", "not", "no", "so", "if", "then", "else",
+  "for", "of", "to", "in", "on", "at", "by", "with", "from", "as",
+  "into", "about", "up", "out", "off", "over", "under", "again",
+  "there", "here", "all", "each", "every", "both", "few", "more",
+  "most", "some", "any", "other", "just", "also", "than", "too",
+  "very", "only", "even", "still", "already", "now", "well",
+  "get", "got", "make", "made", "go", "going", "come", "take",
+  "use", "used", "using", "like", "want", "know", "see", "look",
+  "think", "said", "say", "tell", "let", "put", "set", "try",
+  "please", "thanks", "thank", "yes", "no", "ok", "okay", "sure",
+  // Korean
+  "이", "그", "저", "을", "를", "에", "가", "는", "은", "의", "로", "으로",
+]);

package/src/skills/index.ts

@@ -1,29 +1,13 @@
-export { extractSkills } from "./extractor.js";
 export {
-  addSkills,
-  exportToObsidian,
-  loadSkillLibrary,
-  saveSkillLibrary,
-  searchSkills,
-} from "./library.js";
-export type { ExtractedSkill, SkillLibrary } from "./types.js";
-
-// Pattern Evolution Engine
-export {
-  analyzePatternEvolution,
-  extractContextualPatterns,
-  fingerprintPattern,
-  findSimilarPatterns,
-  analyzeDrift,
-  buildEvolvedSkill,
-} from "./pattern-engine.js";
+  extractMemorySkills,
+  renderKnowledgeBase,
+  renderMemorySkillMarkdown,
+} from "./memory-skill-engine.js";
 export type {
-  ContextWindow,
-  TaskSequence,
-  PatternFingerprint,
-  DriftAnalysis,
-  DriftReason,
-  EvolvedSkill,
-  EvolutionEntry,
-} from "./pattern-engine.js";
-export { exportEvolvedSkills, renderEvolvedSkillMarkdown } from "./render-evolved.js";
+  MemorySkill,
+  Tip,
+  Fact,
+  KnowledgeTier,
+  LearnedKnowledge,
+  SkillExtractionResult,
+} from "./memory-skill-engine.js";