@hongmaple0820/scale-engine 0.48.0 → 0.50.1

package/dist/workflow/gates/GateSystem.js

@@ -7,12 +7,32 @@ import { registerMetaGovernanceGates } from './MetaGovernanceGates.js';
 import { registerEnhancedGates } from './EnhancedGates.js';
 import { META_GOVERNANCE_GATE_STAGES, ENHANCED_GATE_STAGES } from '../GateCatalog.js';
 import { createHash } from 'node:crypto';
+import { mkdtempSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
 import { RuntimeEvidenceLedger } from '../../runtime/RuntimeEvidenceLedger.js';
 import { compressCommandOutput } from '../../tools/CommandOutputCompressor.js';
 import { CommandRunLedger } from '../../tools/CommandRunLedger.js';
 import { auditDependencies } from '../../guardrails/DependencyAuditor.js';
 import { runSafeCommand } from '../../tools/SafeCommandRunner.js';
 import { logger } from '../../core/logger.js';
+const DEFAULT_BUILD_TIMEOUT_MS = 120_000;
+const DEFAULT_LINT_TIMEOUT_MS = 60_000;
+const DEFAULT_TEST_TIMEOUT_MS = 900_000;
+const DEFAULT_COVERAGE_TIMEOUT_MS = 300_000;
+const DEFAULT_PRODUCT_SMOKE_TIMEOUT_MS = 180_000;
+const GATE_TIMEOUT_ENV = {
+    G0: 'SCALE_GATE_BUILD_TIMEOUT_MS',
+    G4: 'SCALE_GATE_LINT_TIMEOUT_MS',
+    G5: 'SCALE_GATE_TEST_TIMEOUT_MS',
+    G6: 'SCALE_GATE_COVERAGE_TIMEOUT_MS',
+    G8: 'SCALE_GATE_SMOKE_TIMEOUT_MS',
+};
+export function resolveGateTimeoutMs(stage, fallbackMs) {
+    const value = process.env[GATE_TIMEOUT_ENV[stage] ?? ''] ?? process.env.SCALE_GATE_COMMAND_TIMEOUT_MS;
+    const parsed = Number.parseInt(value ?? '', 10);
+    return Number.isFinite(parsed) && parsed > 0 ? parsed : fallbackMs;
+}
 function tail(value, maxLength = 1000) {
     return value.length > maxLength ? value.slice(-maxLength) : value;
 }
@@ -22,7 +42,7 @@ function sha256(value) {
 export async function runShellCommand(command, timeout, cwd = process.cwd(), options = {}) {
     const start = Date.now();
     try {
-        const result = await runSafeCommand(command, { timeout, cwd });
+        const result = await runSafeCommand(command, { timeout, cwd, env: options.env });
         const end = Date.now();
         return finalizeCommandResult(command, {
             code: result.exitCode,
@@ -98,8 +118,10 @@ export class GateSystem {
         this.gates = new Map();
         this.results = new Map();
         this.eventBus = eventBus;
-        this.evidenceStore = new EvidenceStore();
-        this.commands = detectVerificationCommands(commandConfig.cwd ?? process.cwd(), commandConfig);
+        this.rootDir = commandConfig.cwd ?? process.cwd();
+        this.scaleDir = commandConfig.scaleDir ?? commandConfig.runtimeEvidence?.scaleDir ?? '.scale';
+        this.evidenceStore = new EvidenceStore(this.scaleDir);
+        this.commands = detectVerificationCommands(this.rootDir, commandConfig);
         this.artifactWriter = artifactWriter ?? new WorkflowArtifactWriter();
         this.registerDefaultGates();
     }
@@ -132,9 +154,10 @@ export class GateSystem {
         if (cacheableGates.includes(stage)) {
             try {
                 const { ScanCache } = await import('../../cache/ScanCache.js');
-                const scanCache = new ScanCache();
+                const scanCache = new ScanCache(this.rootDir);
                 const changedFiles = await this.getChangedFiles();
                 const fileHashes = scanCache.hashFiles(changedFiles);
+                fileHashes['__gate_context__'] = this.cacheContextForGate(stage);
                 const cacheKey = scanCache.computeKey(fileHashes);
                 const cached = scanCache.get(stage, cacheKey);
                 if (cached) {
@@ -192,7 +215,8 @@ export class GateSystem {
                     return result;
                 }
             }
-            catch {
+            catch (err) {
+                logger.debug({ err, stage }, 'Gate cache lookup failed; executing gate directly');
                 // Cache infrastructure failed — fall through to direct execution
             }
         }
@@ -250,7 +274,8 @@ export class GateSystem {
             const record = this.evidenceStore.saveGateResult(result);
             result.evidenceRecordId = record.id;
         }
-        catch {
+        catch (err) {
+            logger.debug({ err, gate: result.gate }, 'Gate evidence persistence failed');
             // Evidence persistence must not mask the gate decision itself.
         }
     }
@@ -309,14 +334,36 @@ export class GateSystem {
     }
     async getChangedFiles() {
         const { execSync } = await import('node:child_process');
+        const { resolve } = await import('node:path');
         try {
-            const output = execSync('git diff --name-only HEAD', { encoding: 'utf-8', stdio: 'pipe' });
-            return output.trim().split('\n').filter(Boolean);
+            const output = execSync('git diff --name-only HEAD', { cwd: this.rootDir, encoding: 'utf-8', stdio: 'pipe' });
+            return output.trim().split('\n').filter(Boolean).map(file => resolve(this.rootDir, file));
         }
         catch {
             return [];
         }
     }
+    cacheContextForGate(stage) {
+        const commandByStage = {
+            G0: this.commands.build,
+            G4: this.commands.lint,
+            G5: this.commands.test,
+            G6: this.commands.coverage,
+        };
+        const command = commandByStage[stage];
+        return JSON.stringify({
+            gateCacheSchema: 3,
+            rootDir: this.rootDir,
+            scaleDir: this.scaleDir,
+            stage,
+            command: command?.command,
+            source: command?.source,
+            reason: command?.reason,
+            cwd: command?.cwd,
+            tddStrict: this.commands.tddStrict,
+            tddEvidence: this.commands.tddEvidence,
+        });
+    }
     registerDefaultGates() {
         this.registerGate(new ExplorationGate(this.artifactWriter));
         this.registerGate(new PlanningGate(this.artifactWriter));
@@ -325,7 +372,11 @@ export class GateSystem {
         this.registerGate(new LintGate(this.commands.lint, this.commands.runtimeEvidence));
         this.registerGate(new TestGate(this.commands.test, this.commands.runtimeEvidence));
         this.registerGate(new CoverageGate(this.commands.coverage, this.commands.runtimeEvidence));
-        this.registerGate(new SecurityGate());
+        this.registerGate(new SecurityGate({
+            rootDir: this.rootDir,
+            scaleDir: this.scaleDir,
+            changedFilesProvider: () => this.getChangedFiles(),
+        }));
         this.registerGate(new ProductSmokeGate(this.commands.smoke, this.commands.runtimeEvidence));
     }
 }
@@ -385,10 +436,16 @@ function commandEvidence(label, command, passed, commandResult, fallbackDetail =
     });
 }
 function gateCommandOptions(stage, command, runtimeEvidence) {
-    if (!runtimeEvidence)
-        return {};
-    return {
-        commandRunEvidence: {
+    const options = {};
+    if (stage === 'G5') {
+        const isolatedScaleDir = mkdtempSync(join(tmpdir(), 'scale-g5-'));
+        options.env = {
+            SCALE_DIR: isolatedScaleDir,
+            SCALE_PROJECT_DIR: runtimeEvidence?.projectDir ?? command.cwd ?? process.cwd(),
+        };
+    }
+    if (runtimeEvidence) {
+        options.commandRunEvidence = {
             projectDir: runtimeEvidence.projectDir ?? command.cwd ?? process.cwd(),
             scaleDir: runtimeEvidence.scaleDir,
             taskId: runtimeEvidence.taskId,
@@ -396,8 +453,9 @@ function gateCommandOptions(stage, command, runtimeEvidence) {
             profile: runtimeEvidence.profile,
             gate: stage,
             source: command.source,
-        },
-    };
+        };
+    }
+    return options;
 }
 export class ExplorationGate {
     constructor(artifactWriter) {
@@ -509,7 +567,8 @@ export class ExplorationGate {
                 await fs.access(candidate);
                 return candidate;
             }
-            catch {
+            catch (err) {
+                logger.debug({ err, candidate }, 'Knowledge file candidate not found');
                 // Try the next platform-specific knowledge file.
             }
         }
@@ -522,7 +581,8 @@ export class ExplorationGate {
                 await fs.access(candidate);
                 return true;
             }
-            catch {
+            catch (err) {
+                logger.debug({ err, candidate }, 'Knowledge graph artifact candidate not found');
                 // Try the next graphify artifact candidate.
             }
         }
@@ -595,7 +655,8 @@ export class PlanningGate {
             const entries = await fs.readdir(specDir);
             return entries.some(entry => entry.endsWith('.md'));
         }
-        catch {
+        catch (err) {
+            logger.debug({ err }, 'Security scan skipped unreadable path');
             return false;
         }
     }
@@ -738,7 +799,7 @@ export class BuildGate {
         const blockers = [];
         let commandResult = null;
         try {
-            commandResult = await runShellCommand(this.command.command, 120000, this.command.cwd, gateCommandOptions(this.stage, this.command, this.runtimeEvidence));
+            commandResult = await runShellCommand(this.command.command, resolveGateTimeoutMs(this.stage, DEFAULT_BUILD_TIMEOUT_MS), this.command.cwd, gateCommandOptions(this.stage, this.command, this.runtimeEvidence));
             if (commandResult.code !== 0) {
                 blockers.push(`Build failed: ${commandResult.stderr}`);
             }
@@ -776,7 +837,7 @@ export class LintGate {
         const blockers = [];
         let commandResult = null;
         try {
-            commandResult = await runShellCommand(this.command.command, 60000, this.command.cwd, gateCommandOptions(this.stage, this.command, this.runtimeEvidence));
+            commandResult = await runShellCommand(this.command.command, resolveGateTimeoutMs(this.stage, DEFAULT_LINT_TIMEOUT_MS), this.command.cwd, gateCommandOptions(this.stage, this.command, this.runtimeEvidence));
             if (commandResult.code !== 0) {
                 blockers.push(`Lint failed: ${commandResult.stderr}`);
             }
@@ -814,7 +875,7 @@ export class TestGate {
         const blockers = [];
         let commandResult = null;
         try {
-            commandResult = await runShellCommand(this.command.command, 120000, this.command.cwd, gateCommandOptions(this.stage, this.command, this.runtimeEvidence));
+            commandResult = await runShellCommand(this.command.command, resolveGateTimeoutMs(this.stage, DEFAULT_TEST_TIMEOUT_MS), this.command.cwd, gateCommandOptions(this.stage, this.command, this.runtimeEvidence));
             if (commandResult.code !== 0) {
                 blockers.push(`Tests failed: ${commandResult.stderr}`);
             }
@@ -853,13 +914,12 @@ export class CoverageGate {
         let detail = '';
         let commandResult = null;
         try {
-            commandResult = await runShellCommand(this.command.command, 120000, this.command.cwd, gateCommandOptions(this.stage, this.command, this.runtimeEvidence));
+            commandResult = await runShellCommand(this.command.command, resolveGateTimeoutMs(this.stage, DEFAULT_COVERAGE_TIMEOUT_MS), this.command.cwd, gateCommandOptions(this.stage, this.command, this.runtimeEvidence));
             if (commandResult.code !== 0) {
                 blockers.push(`Coverage command failed: ${commandResult.stderr}`);
             }
-            const coverageMatch = commandResult.stdout.match(/All files[^|]*\|[^|]*\|[^|]*\|[^|]*\|[^|]*\|\s*(\d+\.?\d*)/);
-            if (coverageMatch) {
-                const coverage = parseFloat(coverageMatch[1]);
+            const coverage = parseCoveragePercentage(commandResult.stdout);
+            if (coverage !== null) {
                 detail = `Coverage: ${coverage}%`;
                 if (coverage < 80) {
                     blockers.push(`Coverage ${coverage}% below 80% threshold`);
@@ -890,6 +950,26 @@ export class CoverageGate {
         };
     }
 }
+function parseCoveragePercentage(output) {
+    const allFilesLine = output
+        .split(/\r?\n/)
+        .find(line => /^\s*All files\s*\|/.test(line));
+    if (!allFilesLine)
+        return null;
+    const values = allFilesLine
+        .split('|')
+        .slice(1)
+        .map(part => part.trim().match(/^(\d+(?:\.\d+)?)/)?.[1])
+        .filter((value) => Boolean(value))
+        .map(Number);
+    if (values.length >= 5)
+        return values[values.length - 1];
+    if (values.length >= 4)
+        return values[3];
+    if (values.length > 0)
+        return values[values.length - 1];
+    return null;
+}
 export class SecurityGate {
     constructor(options = {}) {
         this.stage = 'G7';
@@ -905,9 +985,12 @@ export class SecurityGate {
         this.dependencyAudit = options.dependencyAudit ?? true;
         this.dependencyAuditMode = options.dependencyAuditMode;
         this.dependencyAuditChangedPackages = options.dependencyAuditChangedPackages;
+        this.changedFiles = options.changedFiles;
+        this.changedFilesProvider = options.changedFilesProvider;
     }
     async execute() {
-        const findings = await this.scan();
+        const changedFiles = await this.resolveChangedFiles();
+        const findings = await this.scan(changedFiles);
         const dependencyReport = this.dependencyAudit ? auditDependencies({
             projectDir: this.rootDir,
             scaleDir: this.scaleDir,
@@ -915,11 +998,12 @@ export class SecurityGate {
             changedPackages: this.dependencyAuditChangedPackages,
         }) : null;
         const blockers = findings
-            .filter(finding => finding.severity === 'CRITICAL' || (this.strict && finding.severity === 'HIGH'))
+            .filter(finding => this.blocksFinding(finding, changedFiles))
             .map(finding => `${finding.severity} ${finding.ruleId} in ${finding.file}:${finding.line} - ${finding.description}`);
         blockers.push(...(dependencyReport?.blockers ?? []));
         const passed = blockers.length === 0;
         const summary = this.summarize(findings);
+        const changedHigh = findings.filter(finding => finding.severity === 'HIGH' && this.isChangedFinding(finding, changedFiles)).length;
         const evidenceItems = [
             createEvidence({
                 kind: 'scan',
@@ -927,14 +1011,14 @@ export class SecurityGate {
                 passed,
                 path: this.scanDirs.join(','),
                 detail: findings.length > 0
-                    ? `${findings.length} finding(s): critical=${summary.CRITICAL}, high=${summary.HIGH}, medium=${summary.MEDIUM}, low=${summary.LOW}, strict=${this.strict}`
+                    ? `${findings.length} finding(s): critical=${summary.CRITICAL}, high=${summary.HIGH}, medium=${summary.MEDIUM}, low=${summary.LOW}, changedHigh=${changedHigh}, strict=${this.strict}`
                     : 'no built-in security findings detected',
                 source: 'built-in-security-scan',
             }),
             ...findings.slice(0, this.maxFindings).map(finding => createEvidence({
                 kind: 'scan',
                 label: `Security finding ${finding.ruleId}`,
-                passed: finding.severity !== 'CRITICAL' && finding.severity !== 'HIGH',
+                passed: !this.blocksFinding(finding, changedFiles),
                 path: finding.file,
                 detail: `${finding.severity} line ${finding.line}: ${finding.description}; ${finding.evidence}`,
                 source: 'built-in-security-scan',
@@ -950,14 +1034,20 @@ export class SecurityGate {
             blockers
         };
     }
-    async scan() {
+    async scan(changedFiles) {
         const findings = [];
         try {
-            const fs = await import('fs/promises');
-            const { join, relative } = await import('path');
-            const files = [];
+            const fs = await import('node:fs/promises');
+            const { join, relative } = await import('node:path');
+            const files = new Set();
+            for (const file of changedFiles) {
+                if (!/\.(ts|tsx|js|jsx|mjs|cjs)$/.test(file))
+                    continue;
+                files.add(join(this.rootDir, file));
+            }
             for (const dir of this.scanDirs) {
-                files.push(...await this.walkDir(join(this.rootDir, dir)));
+                for (const file of await this.walkDir(join(this.rootDir, dir)))
+                    files.add(file);
             }
             for (const file of files) {
                 if (findings.length >= this.maxFindings)
@@ -972,11 +1062,37 @@ export class SecurityGate {
                 findings.push(...this.scanFile(displayPath, content).slice(0, this.maxFindings - findings.length));
             }
         }
-        catch {
+        catch (err) {
+            logger.debug({ err, rootDir: this.rootDir, scanDirs: this.scanDirs }, 'Security scan skipped unreadable path');
             // A missing scan directory should not mask the rest of the verification run.
         }
         return findings;
     }
+    async resolveChangedFiles() {
+        const raw = this.changedFilesProvider
+            ? await this.changedFilesProvider()
+            : (this.changedFiles ?? []);
+        return new Set(raw.map(file => this.normalizeChangedFile(file)).filter(Boolean));
+    }
+    normalizeChangedFile(file) {
+        const normalized = file.replace(/\\/g, '/');
+        const root = this.rootDir.replace(/\\/g, '/').replace(/\/$/, '');
+        if (normalized === root)
+            return '';
+        if (normalized.startsWith(`${root}/`))
+            return normalized.slice(root.length + 1);
+        return normalized.replace(/^\.\//, '');
+    }
+    blocksFinding(finding, changedFiles) {
+        if (finding.severity === 'CRITICAL')
+            return true;
+        if (finding.severity !== 'HIGH')
+            return false;
+        return this.strict || this.isChangedFinding(finding, changedFiles);
+    }
+    isChangedFinding(finding, changedFiles) {
+        return changedFiles.has(finding.file);
+    }
     scanFile(file, content) {
         const findings = [];
         const lines = content.split('\n');
@@ -1019,8 +1135,8 @@ export class SecurityGate {
                 }
             }
         }
-        catch {
-            // Ignore unreadable directories.
+        catch (err) {
+            logger.debug({ err, dir }, 'Security scan skipped unreadable directory');
         }
         return results;
     }
@@ -1163,13 +1279,64 @@ export class SecurityGate {
     }
     isRuleDefinition(file, line) {
         const trimmed = line.trim();
-        return file.endsWith('GateSystem.ts') && (/^pattern:\s*\/.*\/[dgimsuy]*,?$/.test(trimmed) || /^id:\s*['"`][^'"`]+['"`],?$/.test(trimmed));
+        if (this.isSecurityRuleSource(file) && this.isSecurityRuleDefinitionLine(trimmed)) {
+            return true;
+        }
+        return /\/.*(?:dangerouslySetInnerHTML|\\\.innerHTML|document\\\.write|password|api\[_-\]\?key|secret|token|shell:\s*true|@ts-ignore|catch).*\/[dgimsuy]*\.test\(\s*(?:line|trimmed)\s*\)/i.test(trimmed);
+    }
+    isSecurityRuleSource(file) {
+        return this.isGeneratedShieldHook(file) || [
+            'src/guardrails/advancedDetectors.ts',
+            'src/guardrails/ast/confirmers.ts',
+            'src/guardrails/OWASPDetector.ts',
+            'src/shield/PolicyCompiler.ts',
+            'src/shield/ProtectedPaths.ts',
+            'src/skills/SkillRepository.ts',
+            'src/cli/shieldCommands.ts',
+            'src/workflow/gates/GateSystem.ts',
+            'src/workflow/ReviewAnalyzer.ts',
+            'src/workflow/SecurityAudit.ts',
+        ].some(ruleSource => file.endsWith(ruleSource));
+    }
+    isGeneratedShieldHook(file) {
+        return /(^|\/)\.claude\/hooks\/shield-[^/]+\.js$/i.test(file);
+    }
+    isSecurityRuleDefinitionLine(trimmed) {
+        if (/^id:\s*['"`][^'"`]+['"`],?$/.test(trimmed))
+            return true;
+        if (/^\{?\s*pattern:\s*\/.*\/[dgimsuy]*,?/.test(trimmed))
+            return true;
+        if (/^patterns:\s*\[/.test(trimmed))
+            return true;
+        if (/^\/.*\/[dgimsuy]*,?(?:\s*\/\/.*)?$/.test(trimmed))
+            return true;
+        if (/^\{?\s*(?:re|pattern):\s*\/.*\/[dgimsuy]*/i.test(trimmed))
+            return true;
+        if (/^(?:const|let|var)\s+\w*pattern\w*\s*=\s*\/.*\/[dgimsuy]*/i.test(trimmed))
+            return true;
+        if (/^(?:const|let|var)\s+\w+\s*=\s*\[.*(?:rm\s+-rf|curl\s*\|\s*bash|wget\s*\|\s*bash|Invoke-Expression|chmod\s+777|git reset --hard|git push --force)/i.test(trimmed))
+            return true;
+        if (/^['"`].*(?:rm\s+-rf|curl\s*\|\s*bash|wget\s*\|\s*bash|Invoke-Expression|chmod\s+777|git reset --hard|git push --force|DROP TABLE|DELETE without WHERE).*['"`],?$/i.test(trimmed))
+            return true;
+        if (/^['"`][^'"`]+['"`](?:\s*,\s*['"`][^'"`]+['"`])*[,]?$/.test(trimmed) && /(?:rm\s+-rf|curl\s*\|\s*bash|wget\s*\|\s*bash|Invoke-Expression|chmod\s+777|git reset --hard|git push --force|DROP TABLE|DELETE without WHERE)/i.test(trimmed))
+            return true;
+        if (/\bexpect:\s*['"`]block['"`]/.test(trimmed) && /\b(?:input|command|label):/.test(trimmed))
+            return true;
+        if (/^(?:name|title|description|recommendation|remediation):\s*['"`].*(?:dangerouslySetInnerHTML|innerHTML|document\.write|eval\(|new Function|curl pipe|shell:\s*true)/i.test(trimmed))
+            return true;
+        return /^(?:if\s*\(|return\s+)?\/?.*(?:dangerouslySetInnerHTML|innerHTML|document\.write|eval\(|new Function|curl|wget|Invoke-WebRequest|Invoke-Expression|rm\s+-rf|shell:\s*true).*\/[dgimsuy]*\.test\(/i.test(trimmed) ||
+            /^(?:\/\/|\/\*\*?|\*)\s*.*(?:dangerouslySetInnerHTML|innerHTML|document\.write|eval\(|new Function|curl pipe|shell:\s*true)/i.test(trimmed);
     }
     isSecurityTestFixture(file, line) {
         if (!this.isTestPath(file))
             return false;
-        return /\b(?:text|content|diff|source)\b\s*[:=]/.test(line) &&
-            /['"`].*(?:password|api[_-]?key|secret|token|auth|credential|private[_-]?key|git add|shell: true|@ts-ignore|catch)/i.test(line);
+        const riskyFixtureText = /['"`].*(?:password|api[_-]?key|secret|token|auth|credential|private[_-]?key|git add|rm\s+-rf|curl\b.*\|.*(?:bash|sh)|Invoke-WebRequest\b.*\|\s*iex|shell: true|dangerouslySetInnerHTML|innerHTML|document\.write|eval\(|new Function|@ts-ignore|catch)/i.test(line);
+        if (!riskyFixtureText)
+            return false;
+        const fixtureField = /\b(?:text|content|diff|source|command|input|tool_input)\b\s*[:=]/.test(line);
+        const fixtureCodePath = /^\s*['"`][^'"`]+\.(?:ts|tsx|js|jsx|mjs|cjs)['"`]\s*:\s*['"`]/.test(line);
+        const fixtureLiteral = /^\s*['"`].*['"`]\s*,?$/.test(line);
+        return fixtureField || fixtureCodePath || fixtureLiteral;
     }
 }
 function parseProductSmokeReport(commandResult) {
@@ -1213,7 +1380,7 @@ export class ProductSmokeGate {
         const blockers = [];
         let commandResult = null;
         try {
-            commandResult = await runShellCommand(this.command.command, 180000, this.command.cwd, gateCommandOptions(this.stage, this.command, this.runtimeEvidence));
+            commandResult = await runShellCommand(this.command.command, resolveGateTimeoutMs(this.stage, DEFAULT_PRODUCT_SMOKE_TIMEOUT_MS), this.command.cwd, gateCommandOptions(this.stage, this.command, this.runtimeEvidence));
             if (commandResult.code !== 0) {
                 blockers.push(`Product smoke failed: ${commandResult.stderr || commandResult.stdout || `exit code ${commandResult.code}`}`);
             }