@hone-ai/cli 1.4.0

package/lib/security-scanner.js

@@ -0,0 +1,168 @@
+'use strict';
+/**
+ * security-scanner.js — HC-022 static analysis for hardcoded secrets,
+ * injection patterns, XSS, and platform-aware security rules.
+ *
+ * Pure helper — no I/O. Caller provides file contents.
+ * Platform-aware: loads SF sharing/CRUD rules, NS eval rules.
+ *
+ * Architecture: docs/architecture/master-roadmap.md (Epic 2)
+ */
+
+// ── Core Rules ─────────────────────────────────────────────────
+
+const SECRET_PATTERNS = [
+  {
+    id: 'hardcoded-secret-apikey',
+    pattern: /(?:api[_-]?key|apikey|api[_-]?secret)\s*[:=]\s*["']([A-Za-z0-9/+=]{20,})["']/i,
+    severity: 'HIGH',
+    message: 'Hardcoded API key detected. Use environment variables instead.',
+  },
+  {
+    id: 'hardcoded-secret-password',
+    pattern: /(?:password|passwd|pwd|secret|token)\s*[:=]\s*["']([A-Za-z0-9@#$%^&*!]{16,})["']/i,
+    severity: 'HIGH',
+    message: 'Hardcoded password/secret detected. Use environment variables or a vault.',
+  },
+  {
+    id: 'hardcoded-secret-aws',
+    pattern: /AKIA[0-9A-Z]{16}/,
+    severity: 'HIGH',
+    message: 'AWS Access Key ID detected. Rotate immediately and use IAM roles.',
+  },
+  {
+    id: 'hardcoded-secret-private-key',
+    pattern: /-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----/,
+    severity: 'HIGH',
+    message: 'Private key detected in source code. Move to secure storage.',
+  },
+];
+
+const INJECTION_PATTERNS = [
+  {
+    id: 'eval-injection',
+    pattern: /\beval\s*\(/,
+    severity: 'HIGH',
+    message: 'eval() usage detected. Avoid eval with dynamic input — use safe alternatives.',
+  },
+  {
+    id: 'function-constructor',
+    pattern: /new\s+Function\s*\(/,
+    severity: 'HIGH',
+    message: 'new Function() is equivalent to eval(). Avoid with dynamic input.',
+  },
+  {
+    id: 'sql-injection',
+    pattern: /(?:SELECT|INSERT|UPDATE|DELETE|DROP)\s+.*(?:\+\s*\w|\$\{)/i,
+    severity: 'HIGH',
+    message: 'Potential SQL injection — string concatenation in query. Use parameterized queries.',
+  },
+];
+
+// ── Platform Rules ─────────────────────────────────────────────
+
+const SALESFORCE_RULES = [
+  {
+    id: 'sf-without-sharing',
+    pattern: /\bwithout\s+sharing\b/i,
+    severity: 'MEDIUM',
+    message: 'Class uses "without sharing". Document justification. Default should be "with sharing".',
+  },
+  {
+    id: 'sf-soql-in-loop',
+    pattern: /for\s*\([\s\S]{0,200}\[SELECT\b/i,
+    severity: 'HIGH',
+    message: 'SOQL query inside a loop — governor limit violation. Move query before loop.',
+  },
+];
+
+const NETSUITE_RULES = [
+  {
+    id: 'ns-eval-injection',
+    pattern: /\beval\s*\(/,
+    severity: 'HIGH',
+    message: 'eval() in SuiteScript is a security risk. Use N/search or JSON.parse instead.',
+  },
+  {
+    id: 'ns-function-constructor',
+    pattern: /new\s+Function\s*\(/,
+    severity: 'HIGH',
+    message: 'new Function() in SuiteScript — equivalent to eval(). Avoid.',
+  },
+];
+
+const PLATFORM_RULES = {
+  salesforce: SALESFORCE_RULES,
+  netsuite: NETSUITE_RULES,
+};
+
+// ── Scanner ────────────────────────────────────────────────────
+
+/**
+ * Scan files for security findings.
+ *
+ * @param {object} opts
+ * @param {object} opts.files — { path: content } map
+ * @param {string} [opts.platform] — 'salesforce' | 'netsuite' | etc.
+ * @returns {{ findings: Array<{file, line, rule, severity, message}>, summary: string }}
+ */
+function scanFiles(opts = {}) {
+  const files = opts.files || {};
+  const platform = opts.platform || null;
+  const findings = [];
+
+  // Combine core rules + platform rules
+  const rules = [...SECRET_PATTERNS, ...INJECTION_PATTERNS];
+  if (platform && PLATFORM_RULES[platform]) {
+    rules.push(...PLATFORM_RULES[platform]);
+  }
+
+  for (const [filePath, content] of Object.entries(files)) {
+    if (typeof content !== 'string') continue;
+
+    const lines = content.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+
+      // Skip env var references (not hardcoded)
+      if (/process\.env\.|os\.environ|System\.getenv|ENV\[/i.test(line)) continue;
+      // Skip comments
+      if (/^\s*(\/\/|#|--|\/\*|\*)/.test(line)) continue;
+
+      for (const rule of rules) {
+        if (rule.pattern.test(line)) {
+          // For secrets: verify the matched value is long enough (not a short string)
+          if (rule.id.startsWith('hardcoded-secret-') && !rule.id.includes('aws') && !rule.id.includes('private-key')) {
+            const match = line.match(rule.pattern);
+            if (match && match[1] && match[1].length < 16) continue;
+          }
+
+          findings.push({
+            file: filePath,
+            line: i + 1,
+            rule: rule.id,
+            severity: rule.severity,
+            message: rule.message,
+          });
+        }
+      }
+    }
+  }
+
+  // Summary
+  const high = findings.filter(f => f.severity === 'HIGH').length;
+  const medium = findings.filter(f => f.severity === 'MEDIUM').length;
+  const low = findings.filter(f => f.severity === 'LOW').length;
+  const summary = findings.length === 0
+    ? 'No security findings.'
+    : `${findings.length} finding(s): ${high} HIGH, ${medium} MEDIUM, ${low} LOW.`;
+
+  return { findings, summary };
+}
+
+module.exports = {
+  scanFiles,
+  SECRET_PATTERNS,
+  INJECTION_PATTERNS,
+  PLATFORM_RULES,
+};

package/lib/setup-grounding.js

@@ -0,0 +1,138 @@
+'use strict';
+/**
+ * setup-grounding.js — HC-013b-setup Phase 1c platform grounding.
+ *
+ * Called by hone-cli.js after the bash setup script finishes.
+ * Reads the just-written .pipeline-config.yml, runs platform discovery
+ * + MCP detection + doc registry selection, then augments the config.
+ *
+ * Pure orchestration helper — I/O injected via opts.
+ *
+ * Architecture: docs/architecture/platform-auto-discovery-v1.md
+ */
+
+const { discoverPlatformMetadata } = require('./platform-discover');
+const { detectMCPServer } = require('./mcp-detect');
+const { selectRegistryUrls } = require('./doc-registry');
+const { augmentPlatformConfig } = require('./config-augment');
+
+/**
+ * Run platform grounding for all detected platforms.
+ *
+ * @param {object} opts
+ * @param {string} opts.repoRoot — absolute path to repo root
+ * @param {string} opts.configText — raw .pipeline-config.yml content
+ * @param {object} opts.parsedConfig — parsed YAML (for reading platform.detected)
+ * @param {(rel: string) => string|null} opts.readFile — read file content
+ * @param {(rel: string) => string[]} opts.listDir — list directory entries
+ * @param {(cmd: string) => {stdout: string, exitCode: number}} opts.exec — shell exec
+ * @param {(platform: string) => object|null} opts.loadRegistry — load platform doc registry YAML
+ * @returns {{ augmentedConfig: string, platforms: object, skipped: boolean }}
+ */
+function groundPlatformConfig(opts) {
+  const { repoRoot, configText, parsedConfig, readFile, listDir, exec, loadRegistry } = opts;
+
+  // Guard: no config or no platform section
+  if (!configText || !parsedConfig) {
+    return { augmentedConfig: configText, platforms: {}, skipped: true, reason: 'no config' };
+  }
+
+  // Check if already grounded (idempotency)
+  if (parsedConfig.platform?.discovered_at && !opts.refresh) {
+    return {
+      augmentedConfig: configText,
+      platforms: {},
+      skipped: true,
+      reason: 'already grounded (use --refresh to re-scan)',
+    };
+  }
+
+  const detectedPlatforms = parsedConfig.platform?.detected || [];
+  if (detectedPlatforms.length === 0) {
+    return { augmentedConfig: configText, platforms: {}, skipped: true, reason: 'no platforms detected' };
+  }
+
+  // Run discovery + MCP detection + doc registry for each platform
+  const allResults = {};
+  const allMetadataTypes = { code: [], config: [], test: [] };
+  const allConfigPaths = [];
+  const allSourceRoots = [];
+  const allDocRegistries = [];
+  const allWarnings = [];
+
+  for (const platform of detectedPlatforms) {
+    // 1. Discover metadata types
+    const discovery = discoverPlatformMetadata({
+      platform,
+      repoRoot,
+      readFile,
+      listDir,
+    });
+
+    // Merge metadata types
+    for (const cat of ['code', 'config', 'test']) {
+      allMetadataTypes[cat].push(...discovery.metadata_types[cat]);
+    }
+    allConfigPaths.push(...discovery.config_paths);
+    allSourceRoots.push(...discovery.source_roots);
+    allWarnings.push(...discovery.warnings);
+
+    // 2. Detect MCP server
+    const mcp = exec ? detectMCPServer({ platform, repoRoot, exec }) : {
+      available: false, server: null, auth_method: null,
+      auth_status: 'unknown', capabilities: [], warnings: [],
+    };
+
+    // 3. Select doc registry URLs
+    const registry = loadRegistry ? loadRegistry(platform) : null;
+    const typeNames = [
+      ...discovery.metadata_types.code.map(t => t.type),
+      ...discovery.metadata_types.config.map(t => t.type),
+      ...discovery.metadata_types.test.map(t => t.type),
+    ];
+    const selectedDocs = registry ? selectRegistryUrls(registry, typeNames) : [];
+
+    if (registry) allDocRegistries.push(platform);
+
+    allResults[platform] = { discovery, mcp, selectedDocs };
+  }
+
+  // Determine MCP config from first platform with MCP available
+  let mcpConfig = { enabled: false };
+  for (const [, result] of Object.entries(allResults)) {
+    if (result.mcp.available) {
+      mcpConfig = {
+        enabled: true,
+        server: result.mcp.server,
+        capabilities: result.mcp.capabilities,
+      };
+      break;
+    }
+  }
+  // If no MCP available, include install hint from first platform
+  if (!mcpConfig.enabled) {
+    const firstMcp = Object.values(allResults)[0]?.mcp;
+    if (firstMcp?.install_hint) {
+      mcpConfig.install_hint = firstMcp.install_hint;
+    }
+  }
+
+  // Augment config
+  const augmentedConfig = augmentPlatformConfig(configText, {
+    discovered_at: new Date().toISOString(),
+    source_roots: [...new Set(allSourceRoots)],
+    metadata_types: allMetadataTypes,
+    config_paths: [...new Set(allConfigPaths)],
+    doc_registry: allDocRegistries.length > 0 ? allDocRegistries : detectedPlatforms,
+    mcp: mcpConfig,
+  });
+
+  return {
+    augmentedConfig,
+    platforms: allResults,
+    skipped: false,
+    warnings: allWarnings,
+  };
+}
+
+module.exports = { groundPlatformConfig };

package/lib/skill-assertions.js

@@ -0,0 +1,276 @@
+'use strict';
+/**
+ * skill-assertions.js — SA-001 / #137 (architect plan story 1/2): pure helper for
+ * the eventual Step 5b runtime audit agent.
+ *
+ * Story 1 ships the ENGINE only. Story 2 (CLI command + Code Reviewer
+ * agent prompt) is gated on ≥2 real skills authoring `## Assertions`
+ * blocks OR OptionsFlow E29-G design landing.
+ *
+ * Why ship the engine first (LC-001-L1 pattern): the assertion shape
+ * needs to soak against real skill-author intent before the runtime
+ * harness wires it into CI. Skills without an `## Assertions` block
+ * produce zero findings → opt-in, no false-positive blast radius.
+ *
+ * Contract (versioned via `version: 1` marker):
+ *   ```markdown
+ *   ## Assertions
+ *
+ *   ```yaml
+ *   version: 1
+ *   assertions:
+ *     - id: ERR-001
+ *       severity: BLOCKER          # advisory; no escalation logic in v1
+ *       description: "console.log forbidden in src/"
+ *       applies_to: "^src/"        # regex matched against file paths
+ *       forbid_added: "console\\.log"  # regex matched against added lines
+ *   ```
+ *   ```
+ *
+ * E29-G may later define a richer DSL; v1 stays parseable so existing
+ * skill assertions keep working until adopters explicitly migrate.
+ *
+ * Pure helper — no fs / child_process imports. Caller injects:
+ *   - parseAssertions(skillMarkdown) → { version, assertions, warnings }
+ *   - runAssertions({ diff, skills, referencedSkills? }) → { findings, scannedSkills, skipped }
+ *
+ * Issue: #137 (story 1/2).
+ */
+const yaml = require('js-yaml');
+
+const ASSERTION_VERSION = 1;
+const ASSERTIONS_HEADING_RE = /^##\s+Assertions\s*$/m;
+
+/** Severity labels. v1 carries them through findings; no escalation logic. */
+const SEVERITY = Object.freeze({
+  BLOCKER: 'BLOCKER',
+  WARN:    'WARN',
+  INFO:    'INFO',
+});
+const VALID_SEVERITIES = new Set(Object.values(SEVERITY));
+
+/**
+ * Parse the `## Assertions` block out of a skill's markdown.
+ *
+ * Returns { version, assertions, warnings }. Skills without the heading
+ * return { version: null, assertions: [], warnings: [] } — no error.
+ *
+ * Malformed YAML / regex / missing required fields produce structured
+ * warnings rather than throwing; the assertion is dropped from the
+ * output but the surrounding skill is still parseable.
+ *
+ * @param {string} skillMarkdown
+ * @returns {{ version: number|null, assertions: Assertion[], warnings: Warning[] }}
+ */
+function parseAssertions(skillMarkdown) {
+  const out = { version: null, assertions: [], warnings: [] };
+  if (typeof skillMarkdown !== 'string' || !skillMarkdown) return out;
+  if (!ASSERTIONS_HEADING_RE.test(skillMarkdown)) return out;
+
+  // Find the YAML fenced block under `## Assertions`. Allow zero or more
+  // blank/comment lines between the heading and the fence.
+  const headingIdx = skillMarkdown.search(ASSERTIONS_HEADING_RE);
+  if (headingIdx < 0) return out;
+  const after = skillMarkdown.slice(headingIdx);
+  // Scope: stop at the next `^## ` heading so we don't consume sibling sections.
+  const stopMatch = after.slice(1).search(/^##\s+/m);
+  const section = stopMatch >= 0 ? after.slice(0, stopMatch + 1) : after;
+  const fenceMatch = section.match(/```(?:ya?ml)?\s*\n([\s\S]*?)\n```/);
+  if (!fenceMatch) {
+    out.warnings.push({ kind: 'missing_yaml_fence', message: '## Assertions section has no ```yaml block' });
+    return out;
+  }
+
+  let parsed;
+  try { parsed = yaml.load(fenceMatch[1]); }
+  catch (e) {
+    out.warnings.push({ kind: 'yaml_parse_error', message: e.message });
+    return out;
+  }
+  if (!parsed || typeof parsed !== 'object') {
+    out.warnings.push({ kind: 'yaml_not_object', message: 'expected YAML mapping' });
+    return out;
+  }
+
+  out.version = (typeof parsed.version === 'number') ? parsed.version : null;
+  if (out.version !== null && out.version !== ASSERTION_VERSION) {
+    out.warnings.push({
+      kind: 'unsupported_version',
+      message: `assertion block version ${out.version}; this engine only supports version ${ASSERTION_VERSION} — block ignored`,
+    });
+    return out;
+  }
+
+  const list = Array.isArray(parsed.assertions) ? parsed.assertions : [];
+  for (let i = 0; i < list.length; i++) {
+    const raw = list[i];
+    if (!raw || typeof raw !== 'object') {
+      out.warnings.push({ kind: 'assertion_not_object', message: `assertions[${i}] is not an object` });
+      continue;
+    }
+    const id = typeof raw.id === 'string' && raw.id ? raw.id : null;
+    const description = typeof raw.description === 'string' ? raw.description : '';
+    const severity = (typeof raw.severity === 'string' && VALID_SEVERITIES.has(raw.severity)) ? raw.severity : SEVERITY.WARN;
+    const appliesToSrc = typeof raw.applies_to === 'string' ? raw.applies_to : null;
+    const forbidAddedSrc = typeof raw.forbid_added === 'string' ? raw.forbid_added : null;
+
+    if (!id) {
+      out.warnings.push({ kind: 'assertion_missing_id', message: `assertions[${i}] missing required field 'id'` });
+      continue;
+    }
+    if (!forbidAddedSrc) {
+      out.warnings.push({ kind: 'assertion_missing_pattern', message: `assertion ${id} missing required field 'forbid_added'` });
+      continue;
+    }
+
+    let appliesTo = null;
+    if (appliesToSrc) {
+      try { appliesTo = new RegExp(appliesToSrc); }
+      catch (e) {
+        out.warnings.push({ kind: 'invalid_applies_to', message: `assertion ${id}: invalid applies_to regex — ${e.message}` });
+        continue;
+      }
+    }
+
+    let forbidAdded;
+    try { forbidAdded = new RegExp(forbidAddedSrc); }
+    catch (e) {
+      out.warnings.push({ kind: 'invalid_forbid_added', message: `assertion ${id}: invalid forbid_added regex — ${e.message}` });
+      continue;
+    }
+
+    out.assertions.push({
+      id,
+      severity,
+      description,
+      appliesTo,           // RegExp | null
+      appliesToSrc,        // string | null (preserved for findings)
+      forbidAdded,         // RegExp
+      forbidAddedSrc,      // string (preserved for findings)
+    });
+  }
+  return out;
+}
+
+/**
+ * Walk a unified diff and run assertions against added lines.
+ *
+ * @param {object} opts
+ * @param {string} opts.diff - unified diff text (output of `git diff origin/develop...HEAD`)
+ * @param {Array<{id: string, content: string}>} opts.skills - skill objects with markdown content
+ * @param {string[]} [opts.referencedSkills] - if provided, only these skills are evaluated
+ * @returns {{ findings: Finding[], scannedSkills: string[], skipped: Skip[], warnings: Warning[] }}
+ */
+function runAssertions(opts = {}) {
+  const diff = typeof opts.diff === 'string' ? opts.diff : '';
+  const skills = Array.isArray(opts.skills) ? opts.skills : [];
+  const filter = Array.isArray(opts.referencedSkills) && opts.referencedSkills.length > 0
+    ? new Set(opts.referencedSkills)
+    : null;
+
+  const findings = [];
+  const scannedSkills = [];
+  const skipped = [];
+  const warnings = [];
+
+  // Parse the diff into per-file added-line sets ONCE (re-used across skills).
+  const filesAddedLines = parseDiffAddedLines(diff);
+
+  for (const skill of skills) {
+    if (!skill || typeof skill !== 'object') continue;
+    const skillId = skill.id || '<unknown>';
+    if (filter && !filter.has(skillId)) {
+      skipped.push({ skillId, reason: 'not in referencedSkills filter' });
+      continue;
+    }
+    const parsed = parseAssertions(skill.content || '');
+    for (const w of parsed.warnings) {
+      warnings.push({ skillId, ...w });
+    }
+    if (parsed.assertions.length === 0) {
+      skipped.push({ skillId, reason: 'no assertions defined' });
+      continue;
+    }
+    scannedSkills.push(skillId);
+
+    for (const a of parsed.assertions) {
+      for (const [filePath, addedLines] of filesAddedLines) {
+        if (a.appliesTo && !a.appliesTo.test(filePath)) continue;
+        for (const { lineNumber, text } of addedLines) {
+          if (a.forbidAdded.test(text)) {
+            findings.push({
+              skillId,
+              assertionId: a.id,
+              severity: a.severity,
+              description: a.description,
+              matchedFile: filePath,
+              matchedLine: lineNumber,
+              matchedText: text.slice(0, 200),  // bounded for artifact size
+              forbidAddedSrc: a.forbidAddedSrc,
+              appliesToSrc: a.appliesToSrc,
+            });
+          }
+        }
+      }
+    }
+  }
+
+  return { findings, scannedSkills, skipped, warnings };
+}
+
+/**
+ * Parse a unified diff into a map: filePath → array of added-line tuples.
+ *
+ * Tracks the new-file line counter (right side of @@ -A,B +C,D @@) so
+ * findings cite real line numbers in the post-change file.
+ *
+ * @param {string} diff
+ * @returns {Map<string, Array<{ lineNumber: number, text: string }>>}
+ */
+function parseDiffAddedLines(diff) {
+  const out = new Map();
+  if (!diff) return out;
+  const lines = diff.split('\n');
+  let currentFile = null;
+  let newLineNumber = 0;
+
+  for (const raw of lines) {
+    // New file header: "+++ b/path/to/file"  (the "b/" prefix is git's convention)
+    const fileHeader = raw.match(/^\+\+\+\s+b\/(.+?)(?:\s|$)/);
+    if (fileHeader) {
+      currentFile = fileHeader[1];
+      if (!out.has(currentFile)) out.set(currentFile, []);
+      newLineNumber = 0;
+      continue;
+    }
+    // Hunk header: "@@ -A,B +C,D @@" — reset the new-side line counter to C.
+    const hunkHeader = raw.match(/^@@\s+-\d+(?:,\d+)?\s+\+(\d+)(?:,\d+)?\s+@@/);
+    if (hunkHeader) {
+      newLineNumber = parseInt(hunkHeader[1], 10);
+      continue;
+    }
+    if (currentFile === null) continue;
+
+    if (raw.startsWith('+') && !raw.startsWith('+++')) {
+      out.get(currentFile).push({
+        lineNumber: newLineNumber,
+        text: raw.slice(1),  // strip the leading '+'
+      });
+      newLineNumber += 1;
+    } else if (raw.startsWith('-') && !raw.startsWith('---')) {
+      // Removed line; doesn't advance the new-side counter.
+    } else if (!raw.startsWith('\\')) {
+      // Context / unchanged line; advances the new-side counter.
+      newLineNumber += 1;
+    }
+  }
+  return out;
+}
+
+module.exports = {
+  parseAssertions,
+  runAssertions,
+  parseDiffAddedLines,
+  ASSERTION_VERSION,
+  SEVERITY,
+};