@lvlup-sw/exarchos 2.0.1

package/scripts/security-scan.sh

@@ -0,0 +1,248 @@
+#!/usr/bin/env bash
+# Security Scan
+# Scans code changes for common security anti-patterns in the quality-review workflow.
+#
+# Usage: security-scan.sh --diff-file <path>
+#        security-scan.sh --repo-root <path> --base-branch <branch>
+#
+# Exit codes:
+#   0 = no findings
+#   1 = findings detected
+#   2 = usage error
+
+set -euo pipefail
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+# ============================================================
+# ARGUMENT PARSING
+# ============================================================
+
+DIFF_FILE=""
+REPO_ROOT=""
+BASE_BRANCH=""
+
+usage() {
+    cat << 'USAGE'
+Usage: security-scan.sh --diff-file <path>
+       security-scan.sh --repo-root <path> --base-branch <branch>
+
+Scan code changes for common security anti-patterns.
+
+Options:
+  --diff-file <path>      Path to a unified diff file
+  --repo-root <path>      Repository root (used with --base-branch)
+  --base-branch <branch>  Base branch to diff against (used with --repo-root)
+  --help                  Show this help message
+
+Detected patterns:
+  - Hardcoded secrets (API keys, passwords, tokens)
+  - eval() usage
+  - SQL string concatenation
+  - innerHTML assignment
+  - dangerouslySetInnerHTML
+  - child_process.exec with variable input
+
+Exit codes:
+  0  No security findings
+  1  Security findings detected
+  2  Usage error
+USAGE
+}
+
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --diff-file)
+            if [[ -z "${2:-}" ]]; then
+                echo "Error: --diff-file requires a path argument" >&2
+                exit 2
+            fi
+            DIFF_FILE="$2"
+            shift 2
+            ;;
+        --repo-root)
+            if [[ -z "${2:-}" ]]; then
+                echo "Error: --repo-root requires a path argument" >&2
+                exit 2
+            fi
+            REPO_ROOT="$2"
+            shift 2
+            ;;
+        --base-branch)
+            if [[ -z "${2:-}" ]]; then
+                echo "Error: --base-branch requires a branch argument" >&2
+                exit 2
+            fi
+            BASE_BRANCH="$2"
+            shift 2
+            ;;
+        --help)
+            usage
+            exit 0
+            ;;
+        *)
+            echo "Error: Unknown argument '$1'" >&2
+            usage >&2
+            exit 2
+            ;;
+    esac
+done
+
+# Validate inputs
+if [[ -z "$DIFF_FILE" && ( -z "$REPO_ROOT" || -z "$BASE_BRANCH" ) ]]; then
+    echo "Error: Must provide --diff-file or both --repo-root and --base-branch" >&2
+    usage >&2
+    exit 2
+fi
+
+# ============================================================
+# DIFF RESOLUTION
+# ============================================================
+
+DIFF_CONTENT=""
+
+if [[ -n "$DIFF_FILE" ]]; then
+    if [[ ! -f "$DIFF_FILE" ]]; then
+        echo "Error: Diff file not found: $DIFF_FILE" >&2
+        exit 2
+    fi
+    DIFF_CONTENT="$(cat "$DIFF_FILE")"
+else
+    DIFF_CONTENT="$(cd "$REPO_ROOT" && git diff "$BASE_BRANCH"...HEAD 2>/dev/null)" || {
+        echo "Error: Failed to generate diff from $BASE_BRANCH" >&2
+        exit 2
+    }
+fi
+
+# ============================================================
+# SECURITY PATTERN SCANNING
+# ============================================================
+
+FINDINGS=()
+FINDING_COUNT=0
+CURRENT_FILE=""
+
+# Extract only added lines from the diff (lines starting with +, excluding +++ headers)
+# Track file names from diff headers
+scan_diff() {
+    local diff_line_num=0
+
+    while IFS= read -r line; do
+        # Track current file from diff headers
+        if [[ "$line" =~ ^diff\ --git\ a/(.+)\ b/ ]]; then
+            CURRENT_FILE="${BASH_REMATCH[1]}"
+            diff_line_num=0
+            continue
+        fi
+
+        # Track line numbers from hunk headers
+        if [[ "$line" =~ ^@@\ -[0-9]+(,[0-9]+)?\ \+([0-9]+)(,[0-9]+)?\ @@ ]]; then
+            diff_line_num="${BASH_REMATCH[2]}"
+            continue
+        fi
+
+        # Skip non-addition lines
+        if [[ ! "$line" =~ ^\+ ]]; then
+            if [[ "$line" =~ ^[^-] ]]; then
+                diff_line_num=$((diff_line_num + 1))
+            fi
+            continue
+        fi
+
+        # Skip +++ header lines
+        if [[ "$line" =~ ^\+\+\+ ]]; then
+            continue
+        fi
+
+        local added_line="${line:1}"  # Strip leading +
+
+        # Pattern 1: Hardcoded secrets (API keys, passwords, tokens in string literals)
+        if echo "$added_line" | grep -qEi '(API_KEY|SECRET|PASSWORD|TOKEN|PRIVATE_KEY)\s*=\s*["\x27]'; then
+            add_finding "$CURRENT_FILE" "$diff_line_num" "Hardcoded secret/credential" "HIGH" "$added_line"
+        fi
+
+        # Pattern 2: eval() usage
+        if echo "$added_line" | grep -qE '\beval\s*\('; then
+            add_finding "$CURRENT_FILE" "$diff_line_num" "eval() usage" "HIGH" "$added_line"
+        fi
+
+        # Pattern 3: SQL string concatenation
+        if echo "$added_line" | grep -qEi '"SELECT\b.*"\s*\+|`SELECT\b.*\$\{'; then
+            add_finding "$CURRENT_FILE" "$diff_line_num" "SQL string concatenation" "HIGH" "$added_line"
+        fi
+
+        # Pattern 4: innerHTML assignment
+        if echo "$added_line" | grep -qE '\.innerHTML\s*='; then
+            add_finding "$CURRENT_FILE" "$diff_line_num" "innerHTML assignment" "MEDIUM" "$added_line"
+        fi
+
+        # Pattern 5: dangerouslySetInnerHTML
+        if echo "$added_line" | grep -qE 'dangerouslySetInnerHTML'; then
+            add_finding "$CURRENT_FILE" "$diff_line_num" "dangerouslySetInnerHTML usage" "MEDIUM" "$added_line"
+        fi
+
+        # Pattern 6: child_process.exec with variable
+        if echo "$added_line" | grep -qE 'child_process.*exec\s*\(|exec\s*\(\s*[^"'\''`]'; then
+            add_finding "$CURRENT_FILE" "$diff_line_num" "child_process.exec with variable input" "HIGH" "$added_line"
+        fi
+
+        diff_line_num=$((diff_line_num + 1))
+    done <<< "$DIFF_CONTENT"
+}
+
+add_finding() {
+    local file="$1"
+    local line="$2"
+    local pattern="$3"
+    local severity="$4"
+    local context="$5"
+
+    # Trim context to reasonable length
+    if [[ ${#context} -gt 120 ]]; then
+        context="${context:0:117}..."
+    fi
+
+    FINDINGS+=("- **${severity}** \`${file}:${line}\` — ${pattern}: \`${context}\`")
+    FINDING_COUNT=$((FINDING_COUNT + 1))
+}
+
+# Run the scan
+scan_diff
+
+# ============================================================
+# STRUCTURED OUTPUT
+# ============================================================
+
+echo "## Security Scan Report"
+echo ""
+
+if [[ -n "$DIFF_FILE" ]]; then
+    echo "**Source:** \`$DIFF_FILE\`"
+else
+    echo "**Source:** \`$REPO_ROOT\` (diff against \`$BASE_BRANCH\`)"
+fi
+echo ""
+
+if [[ $FINDING_COUNT -eq 0 ]]; then
+    echo "No security patterns detected."
+    echo ""
+    echo "---"
+    echo ""
+    echo "**Result: CLEAN** (0 findings)"
+    exit 0
+else
+    echo "**Findings ($FINDING_COUNT):**"
+    echo ""
+    for finding in "${FINDINGS[@]}"; do
+        echo "$finding"
+    done
+    echo ""
+    echo "---"
+    echo ""
+    echo "**Result: FINDINGS** ($FINDING_COUNT security patterns detected)"
+    exit 1
+fi

package/scripts/select-debug-track.sh

@@ -0,0 +1,186 @@
+#!/usr/bin/env bash
+# Select Debug Track
+# Deterministic track selection from urgency and root-cause knowledge.
+# Replaces prose-based decision-making with a clear decision tree.
+#
+# Usage: select-debug-track.sh --urgency <critical|high|medium|low> --root-cause-known <yes|no>
+#        select-debug-track.sh --state-file <path>
+#
+# Exit codes:
+#   0 = hotfix track selected
+#   1 = thorough track selected
+#   2 = usage error (missing required args, invalid input)
+
+set -euo pipefail
+
+# ============================================================
+# ARGUMENT PARSING
+# ============================================================
+
+URGENCY=""
+ROOT_CAUSE_KNOWN=""
+STATE_FILE=""
+
+usage() {
+    cat << 'USAGE'
+Usage: select-debug-track.sh --urgency <critical|high|medium|low> --root-cause-known <yes|no>
+       select-debug-track.sh --state-file <path>
+
+Required (one of):
+  --urgency <level>            Urgency level: critical, high, medium, low
+  --root-cause-known <yes|no>  Whether the root cause is known
+  --state-file <path>          Path to workflow state JSON (reads urgency.level and investigation.rootCauseKnown)
+
+Optional:
+  --help                       Show this help message
+
+Exit codes:
+  0  Hotfix track selected
+  1  Thorough track selected
+  2  Usage error (missing args, invalid input)
+USAGE
+}
+
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --urgency)
+            if [[ -z "${2:-}" ]]; then
+                echo "Error: --urgency requires a level argument" >&2
+                exit 2
+            fi
+            URGENCY="$2"
+            shift 2
+            ;;
+        --root-cause-known)
+            if [[ -z "${2:-}" ]]; then
+                echo "Error: --root-cause-known requires yes or no" >&2
+                exit 2
+            fi
+            ROOT_CAUSE_KNOWN="$2"
+            shift 2
+            ;;
+        --state-file)
+            if [[ -z "${2:-}" ]]; then
+                echo "Error: --state-file requires a path argument" >&2
+                exit 2
+            fi
+            STATE_FILE="$2"
+            shift 2
+            ;;
+        --help)
+            usage
+            exit 0
+            ;;
+        *)
+            echo "Error: Unknown argument '$1'" >&2
+            usage >&2
+            exit 2
+            ;;
+    esac
+done
+
+# ============================================================
+# RESOLVE FROM STATE FILE
+# ============================================================
+
+if [[ -n "$STATE_FILE" && -z "$URGENCY" ]]; then
+    if [[ ! -f "$STATE_FILE" ]]; then
+        echo "Error: State file not found: $STATE_FILE" >&2
+        exit 2
+    fi
+
+    if ! command -v jq &>/dev/null; then
+        echo "Error: jq is required but not installed" >&2
+        exit 2
+    fi
+
+    URGENCY="$(jq -r '.urgency.level // empty' "$STATE_FILE")"
+    ROOT_CAUSE_KNOWN="$(jq -r '.investigation.rootCauseKnown // empty' "$STATE_FILE")"
+
+    if [[ -z "$URGENCY" ]]; then
+        echo "Error: No urgency.level found in state file" >&2
+        exit 2
+    fi
+    if [[ -z "$ROOT_CAUSE_KNOWN" ]]; then
+        echo "Error: No investigation.rootCauseKnown found in state file" >&2
+        exit 2
+    fi
+fi
+
+# ============================================================
+# VALIDATE INPUTS
+# ============================================================
+
+if [[ -z "$URGENCY" || -z "$ROOT_CAUSE_KNOWN" ]]; then
+    echo "Error: Both --urgency and --root-cause-known are required (or use --state-file)" >&2
+    usage >&2
+    exit 2
+fi
+
+case "$URGENCY" in
+    critical|high|medium|low) ;;
+    *)
+        echo "Error: Invalid urgency level '$URGENCY' (expected: critical, high, medium, low)" >&2
+        exit 2
+        ;;
+esac
+
+case "$ROOT_CAUSE_KNOWN" in
+    yes|no) ;;
+    *)
+        echo "Error: Invalid root-cause-known value '$ROOT_CAUSE_KNOWN' (expected: yes, no)" >&2
+        exit 2
+        ;;
+esac
+
+# ============================================================
+# DECISION TREE
+# ============================================================
+
+SELECTED_TRACK=""
+REASONING=""
+
+case "$URGENCY" in
+    critical)
+        if [[ "$ROOT_CAUSE_KNOWN" == "yes" ]]; then
+            SELECTED_TRACK="HOTFIX"
+            REASONING="Critical urgency with known root cause — hotfix is appropriate"
+        else
+            SELECTED_TRACK="THOROUGH"
+            REASONING="Critical urgency but unknown root cause — can't fix what you don't understand"
+        fi
+        ;;
+    high)
+        if [[ "$ROOT_CAUSE_KNOWN" == "yes" ]]; then
+            SELECTED_TRACK="HOTFIX"
+            REASONING="High urgency with known root cause — hotfix is appropriate"
+        else
+            SELECTED_TRACK="THOROUGH"
+            REASONING="High urgency but unknown root cause — thorough investigation needed"
+        fi
+        ;;
+    medium)
+        SELECTED_TRACK="THOROUGH"
+        REASONING="Medium urgency — thorough track always applies for non-critical issues"
+        ;;
+    low)
+        SELECTED_TRACK="THOROUGH"
+        REASONING="Low urgency — thorough track always applies for non-critical issues"
+        ;;
+esac
+
+# ============================================================
+# STRUCTURED OUTPUT
+# ============================================================
+
+echo "## Debug Track Selection"
+echo "- **Urgency:** $URGENCY"
+echo "- **Root cause known:** $ROOT_CAUSE_KNOWN"
+echo "- **Selected track:** $SELECTED_TRACK"
+echo "- **Reasoning:** $REASONING"
+
+if [[ "$SELECTED_TRACK" == "HOTFIX" ]]; then
+    exit 0
+else
+    exit 1
+fi