@haystackeditor/cli 0.2.0

package/dist/utils/secrets.js

@@ -0,0 +1,241 @@
+/**
+ * Secret Scanning & Validation
+ *
+ * Detects potential hardcoded secrets in configuration files
+ * before they can be committed to version control.
+ *
+ * Based on patterns from:
+ * - GitHub secret scanning
+ * - detect-secrets
+ * - truffleHog
+ */
+import * as fs from 'fs/promises';
+import * as path from 'path';
+/**
+ * Common secret patterns
+ */
+const SECRET_PATTERNS = [
+    // API Keys
+    {
+        name: 'generic-api-key',
+        pattern: /(?:api[_-]?key|apikey)\s*[:=]\s*['"]?([a-zA-Z0-9_\-]{20,})['"]?/gi,
+        description: 'Potential API key detected',
+        severity: 'high',
+    },
+    {
+        name: 'generic-secret',
+        pattern: /(?:secret|password|passwd|pwd)\s*[:=]\s*['"]?([a-zA-Z0-9_\-!@#$%^&*]{8,})['"]?/gi,
+        description: 'Potential secret or password detected',
+        severity: 'high',
+    },
+    // Cloud Providers
+    {
+        name: 'aws-access-key',
+        pattern: /AKIA[0-9A-Z]{16}/g,
+        description: 'AWS Access Key ID detected',
+        severity: 'high',
+    },
+    {
+        name: 'aws-secret-key',
+        pattern: /(?:aws)?[_-]?secret[_-]?(?:access)?[_-]?key\s*[:=]\s*['"]?([a-zA-Z0-9/+=]{40})['"]?/gi,
+        description: 'AWS Secret Access Key detected',
+        severity: 'high',
+    },
+    {
+        name: 'cloudflare-api-token',
+        pattern: /(?:cloudflare|cf)[_-]?(?:api)?[_-]?token\s*[:=]\s*['"]?([a-zA-Z0-9_\-]{40,})['"]?/gi,
+        description: 'Cloudflare API Token detected',
+        severity: 'high',
+    },
+    // GitHub
+    {
+        name: 'github-token',
+        pattern: /gh[pousr]_[a-zA-Z0-9]{36,}/g,
+        description: 'GitHub Personal Access Token detected',
+        severity: 'high',
+    },
+    {
+        name: 'github-oauth',
+        pattern: /gho_[a-zA-Z0-9]{36,}/g,
+        description: 'GitHub OAuth Token detected',
+        severity: 'high',
+    },
+    // OpenAI / Anthropic
+    {
+        name: 'openai-api-key',
+        pattern: /sk-[a-zA-Z0-9]{20,}T3BlbkFJ[a-zA-Z0-9]{20,}/g,
+        description: 'OpenAI API Key detected',
+        severity: 'high',
+    },
+    {
+        name: 'anthropic-api-key',
+        pattern: /sk-ant-[a-zA-Z0-9\-_]{40,}/g,
+        description: 'Anthropic API Key detected',
+        severity: 'high',
+    },
+    // Database
+    {
+        name: 'postgres-connection',
+        pattern: /postgres(?:ql)?:\/\/[^:]+:[^@]+@[^/]+/gi,
+        description: 'PostgreSQL connection string with credentials detected',
+        severity: 'high',
+    },
+    {
+        name: 'mongodb-connection',
+        pattern: /mongodb(?:\+srv)?:\/\/[^:]+:[^@]+@[^/]+/gi,
+        description: 'MongoDB connection string with credentials detected',
+        severity: 'high',
+    },
+    // Private Keys
+    {
+        name: 'private-key',
+        pattern: /-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----/g,
+        description: 'Private key detected',
+        severity: 'high',
+    },
+    // JWT / Bearer tokens
+    {
+        name: 'jwt-token',
+        pattern: /eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*/g,
+        description: 'JWT token detected',
+        severity: 'medium',
+    },
+    {
+        name: 'bearer-token',
+        pattern: /bearer\s+[a-zA-Z0-9_\-.~+/]+=*/gi,
+        description: 'Bearer token detected',
+        severity: 'medium',
+    },
+    // Slack
+    {
+        name: 'slack-token',
+        pattern: /xox[baprs]-[0-9]+-[0-9]+-[a-zA-Z0-9]+/g,
+        description: 'Slack token detected',
+        severity: 'high',
+    },
+    {
+        name: 'slack-webhook',
+        pattern: /https:\/\/hooks\.slack\.com\/services\/T[a-zA-Z0-9_]+\/B[a-zA-Z0-9_]+\/[a-zA-Z0-9_]+/g,
+        description: 'Slack webhook URL detected',
+        severity: 'medium',
+    },
+    // Generic high-entropy strings in config values
+    {
+        name: 'high-entropy-string',
+        pattern: /(?:token|key|secret|password|credential|auth)\s*[:=]\s*['"]([a-zA-Z0-9+/=_\-]{32,})['"]?/gi,
+        description: 'High-entropy string in sensitive field',
+        severity: 'medium',
+    },
+];
+/**
+ * Patterns that are safe and should be ignored
+ */
+const SAFE_PATTERNS = [
+    /\$[A-Z_]+/, // Environment variable reference
+    /\$\{[A-Z_]+\}/, // Environment variable with braces
+    /file:\/\//, // File path reference
+    /https?:\/\//, // Regular URLs (unless they contain credentials)
+    /<[A-Z_]+>/, // Placeholder like <API_KEY>
+    /your[_-]?(?:api)?[_-]?key/i, // Example placeholder
+    /xxx+/i, // Redacted value
+    /\*{3,}/, // Masked value
+];
+/**
+ * Redact a secret value for safe display
+ */
+function redactSecret(value) {
+    if (value.length <= 8) {
+        return '***';
+    }
+    return value.substring(0, 4) + '***' + value.substring(value.length - 2);
+}
+/**
+ * Check if a match is a safe pattern (not a real secret)
+ */
+function isSafePattern(match) {
+    return SAFE_PATTERNS.some((pattern) => pattern.test(match));
+}
+/**
+ * Scan content for potential secrets
+ */
+export function scanForSecrets(content, filename) {
+    const findings = [];
+    const lines = content.split('\n');
+    for (const secretPattern of SECRET_PATTERNS) {
+        // Reset regex state
+        secretPattern.pattern.lastIndex = 0;
+        let match;
+        while ((match = secretPattern.pattern.exec(content)) !== null) {
+            const matchedValue = match[1] || match[0];
+            // Skip safe patterns
+            if (isSafePattern(matchedValue)) {
+                continue;
+            }
+            // Find line and column
+            const beforeMatch = content.substring(0, match.index);
+            const line = beforeMatch.split('\n').length;
+            const lastNewline = beforeMatch.lastIndexOf('\n');
+            const column = match.index - lastNewline;
+            findings.push({
+                pattern: secretPattern.name,
+                description: secretPattern.description,
+                severity: secretPattern.severity,
+                line,
+                column,
+                match: redactSecret(matchedValue),
+                file: filename,
+            });
+        }
+    }
+    return findings;
+}
+/**
+ * Scan a file for secrets
+ */
+export async function scanFile(filePath) {
+    try {
+        const content = await fs.readFile(filePath, 'utf-8');
+        return scanForSecrets(content, path.basename(filePath));
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Scan .haystack.yml specifically for secrets
+ */
+export async function scanHaystackConfig(configPath) {
+    return scanFile(configPath);
+}
+/**
+ * Validate that a config doesn't contain hardcoded secrets
+ * Returns true if safe, false if secrets detected
+ */
+export async function validateConfigSecurity(configPath) {
+    const findings = await scanHaystackConfig(configPath);
+    const highSeverity = findings.filter((f) => f.severity === 'high');
+    return {
+        safe: highSeverity.length === 0,
+        findings,
+    };
+}
+/**
+ * Get a security report string for display
+ */
+export function formatSecurityReport(findings) {
+    if (findings.length === 0) {
+        return '✓ No secrets detected';
+    }
+    const lines = [
+        `⚠️  ${findings.length} potential secret(s) detected:\n`,
+    ];
+    for (const finding of findings) {
+        const severity = finding.severity === 'high' ? '🔴' : finding.severity === 'medium' ? '🟡' : '🟢';
+        lines.push(`  ${severity} ${finding.file}:${finding.line}:${finding.column}`);
+        lines.push(`     ${finding.description}`);
+        lines.push(`     Matched: ${finding.match}\n`);
+    }
+    lines.push('Use $VARIABLE syntax to reference secrets from Haystack platform.');
+    lines.push('Run `haystack secrets set KEY value` to store secrets securely.\n');
+    return lines.join('\n');
+}

package/dist/utils/skill.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Create the .agents/skills/haystack.md file for agent discovery
+ */
+export declare function createSkillFile(): Promise<string>;

package/dist/utils/skill.js

@@ -0,0 +1,249 @@
+/**
+ * Create the .agents/skills/haystack.md file for agent discovery
+ */
+import * as fs from 'fs/promises';
+import * as path from 'path';
+const SKILL_CONTENT = `# Haystack Verification
+
+Haystack provides automated PR verification. When a PR is opened, an AI agent spins up the app in a sandbox and verifies changes work correctly.
+
+## Setup Workflow
+
+### Step 1: Generate base config
+\`\`\`bash
+npx @haystackeditor/cli init
+\`\`\`
+This auto-detects framework, ports, package manager and creates \`.haystack.yml\`.
+
+### Step 2: Review and customize
+After init, review the generated config and customize based on the app:
+
+| If the app has... | Add this |
+|-------------------|----------|
+| Login/authentication | Auth bypass env var (see Auth Bypass section) |
+| Key user journeys | Flows describing what to verify (see Flows section) |
+| API calls needing auth | Fixtures to mock responses (see Fixtures section) |
+
+**Minimum viable config**: Just \`dev_server\` settings. Flows and fixtures can be added later as needed.
+
+### Step 3: Commit
+\`\`\`bash
+git add .haystack.yml .agents/
+git commit -m "Add Haystack verification"
+\`\`\`
+
+## Config Reference
+
+\`\`\`yaml
+version: "1"
+name: my-app
+
+# Dev server configuration
+dev_server:
+  command: pnpm dev
+  port: 3000
+  ready_pattern: "Local:"    # Text in stdout when server is ready
+  env:
+    SKIP_AUTH: "true"        # Auth bypass for testing
+
+# Verification commands (run in PR checks)
+verification:
+  commands:
+    - name: build
+      run: pnpm build
+    - name: lint
+      run: pnpm lint
+    - name: typecheck
+      run: pnpm tsc --noEmit
+
+# Flows: Advisory descriptions for AI verification agent
+# The agent reads these to understand WHAT to verify, then navigates autonomously
+flows:
+  - name: "Landing page loads"
+    description: "Verify the landing page renders without errors"
+    trigger: always
+    steps:
+      - action: navigate
+        url: "/"
+      - action: wait_for
+        selector: "[data-testid='landing']"
+      - action: screenshot
+        name: "landing"
+
+  - name: "Dashboard loads with data"
+    description: "Verify dashboard shows user data correctly"
+    trigger: on_change
+    watch_patterns:
+      - "src/components/dashboard/**"
+    steps:
+      - action: navigate
+        url: "/dashboard"
+      - action: wait_for
+        selector: ".dashboard-content"
+      - action: assert_no_errors
+\`\`\`
+
+## Monorepo Configuration
+
+For monorepos with multiple services:
+
+\`\`\`yaml
+version: "1"
+name: my-monorepo
+
+services:
+  frontend:
+    root: ./
+    command: pnpm dev
+    port: 3000
+    ready_pattern: "Local:"
+    env:
+      VITE_SKIP_AUTH: "true"
+
+  api:
+    root: packages/api
+    command: pnpm dev
+    port: 8080
+    ready_pattern: "listening"
+
+  worker:
+    root: infra/worker
+    command: pnpm wrangler dev
+    port: 8787
+
+  # Batch jobs (run once, don't stay running)
+  analysis:
+    root: packages/analysis
+    type: batch
+    command: pnpm start
+
+verification:
+  commands:
+    - name: build
+      run: pnpm build
+    - name: lint
+      run: pnpm lint
+\`\`\`
+
+## Multi-Repo Configuration
+
+When services live in separate git repositories (not a monorepo), each repo gets its own \`.haystack.yml\`:
+
+**Frontend repo** - Mock the API it depends on:
+\`\`\`yaml
+version: "1"
+name: frontend
+
+dev_server:
+  command: pnpm dev
+  port: 3000
+  env:
+    VITE_API_URL: "http://localhost:8080"  # Will be mocked
+
+# Mock the API from the other repo
+fixtures:
+  - pattern: "/api/*"
+    source: "file://fixtures/api-responses.json"
+\`\`\`
+
+**API repo** - Standalone verification:
+\`\`\`yaml
+version: "1"
+name: api
+
+dev_server:
+  command: pnpm dev
+  port: 8080
+
+verification:
+  commands:
+    - name: test
+      run: pnpm test
+\`\`\`
+
+Each repo is verified independently. Use fixtures to mock dependencies on other services.
+
+## Fixtures (API Mocking)
+
+Mock API responses so verification doesn't need real credentials:
+
+\`\`\`yaml
+fixtures:
+  # Local file (small data, commit to repo)
+  - pattern: "/api/user"
+    source: "file://fixtures/user.json"
+
+  # From staging server
+  - pattern: "/api/dashboard"
+    source: "https://staging.example.com/api/dashboard"
+    headers:
+      Authorization: "Bearer $STAGING_TOKEN"
+
+  # Large data from S3
+  - pattern: "/api/analytics"
+    source: "s3://my-bucket/fixtures/analytics.json"
+
+  # Use real API (no mocking)
+  - pattern: "/api/public/*"
+    source: passthrough
+\`\`\`
+
+## Understanding Flows
+
+**Flows are advisory, not mechanical scripts.**
+
+When a PR is opened, an AI agent (running in a Modal sandbox with browser access):
+1. Reads the flows to understand what to verify
+2. Navigates the app autonomously
+3. Determines if things work based on flow descriptions
+4. Captures screenshots and evidence
+5. Reports results
+
+The flow steps are hints like "check the landing page loads" - the AI figures out how to verify that. It can adapt if the UI changes slightly.
+
+### Flow Triggers
+
+| Trigger | When it runs |
+|---------|--------------|
+| \`always\` | Every PR |
+| \`on_change\` | Only when \`watch_patterns\` match changed files |
+
+### Flow Actions (Advisory)
+
+These describe what the agent should verify:
+
+**Browser:**
+- \`navigate\` - Go to URL
+- \`wait_for\` - Wait for element
+- \`click\` - Click element
+- \`type\` - Enter text
+- \`screenshot\` - Capture screenshot
+- \`assert_no_errors\` - Check for error states
+
+**API:**
+- \`http_request\` - Make API call
+- \`assert_status\` - Check response code
+- \`websocket_connect\` - Test WebSocket
+
+## Auth Bypass
+
+Most apps need auth bypassed for testing. Common patterns:
+
+| Framework | Env Var |
+|-----------|---------|
+| Vite/React | \`VITE_SKIP_AUTH=true\` |
+| Next.js | \`NEXT_PUBLIC_SKIP_AUTH=true\` |
+| Express | \`SKIP_AUTH=true\` |
+| Rails | \`SKIP_AUTH=true\` |
+
+Add to \`dev_server.env\` or \`services.*.env\` in your config.
+`;
+export async function createSkillFile() {
+    const skillDir = path.join(process.cwd(), '.agents', 'skills');
+    const skillPath = path.join(skillDir, 'haystack.md');
+    // Create directory if needed
+    await fs.mkdir(skillDir, { recursive: true });
+    // Write skill file
+    await fs.writeFile(skillPath, SKILL_CONTENT, 'utf-8');
+    return skillPath;
+}

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "@haystackeditor/cli",
+  "version": "0.2.0",
+  "description": "Set up Haystack verification for your project",
+  "type": "module",
+  "bin": {
+    "haystack": "./dist/index.js"
+  },
+  "keywords": [
+    "haystack",
+    "verification",
+    "sandbox",
+    "ai-agent",
+    "testing",
+    "cli"
+  ],
+  "author": "Haystack",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/haystackeditor/haystack-review.git",
+    "directory": "packages/haystack-cli"
+  },
+  "homepage": "https://haystackeditor.com",
+  "bugs": {
+    "url": "https://github.com/haystackeditor/haystack-review/issues"
+  },
+  "dependencies": {
+    "chalk": "^5.3.0",
+    "commander": "^12.0.0",
+    "fast-glob": "^3.3.0",
+    "inquirer": "^9.2.0",
+    "yaml": "^2.3.4"
+  },
+  "devDependencies": {
+    "@types/inquirer": "^9.0.0",
+    "@types/node": "^20.10.0",
+    "typescript": "^5.3.0"
+  },
+  "files": [
+    "dist"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "start": "node dist/index.js"
+  }
+}