npm - @mainahq/core - Versions diffs - 0.2.0 → 0.4.0 - Mend

@mainahq/core 0.2.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (38) hide show

package/package.json +4 -1
package/src/ai/__tests__/delegation.test.ts +105 -0
package/src/ai/delegation.ts +111 -0
package/src/ai/try-generate.ts +17 -0
package/src/cloud/__tests__/auth.test.ts +164 -0
package/src/cloud/__tests__/client.test.ts +253 -0
package/src/cloud/auth.ts +232 -0
package/src/cloud/client.ts +190 -0
package/src/cloud/types.ts +106 -0
package/src/context/relevance.ts +5 -0
package/src/context/retrieval.ts +3 -0
package/src/context/semantic.ts +3 -0
package/src/feedback/__tests__/trace-analysis.test.ts +98 -0
package/src/feedback/trace-analysis.ts +153 -0
package/src/index.ts +55 -0
package/src/init/__tests__/init.test.ts +51 -0
package/src/init/index.ts +43 -0
package/src/language/__tests__/detect.test.ts +61 -1
package/src/language/__tests__/profile.test.ts +68 -1
package/src/language/detect.ts +33 -3
package/src/language/profile.ts +67 -2
package/src/ticket/index.ts +5 -0
package/src/verify/__tests__/consistency.test.ts +98 -0
package/src/verify/__tests__/lighthouse.test.ts +215 -0
package/src/verify/__tests__/linters/checkstyle.test.ts +23 -0
package/src/verify/__tests__/linters/dotnet-format.test.ts +18 -0
package/src/verify/__tests__/pipeline.test.ts +21 -2
package/src/verify/__tests__/typecheck.test.ts +160 -0
package/src/verify/__tests__/zap.test.ts +188 -0
package/src/verify/consistency.ts +199 -0
package/src/verify/detect.ts +13 -1
package/src/verify/lighthouse.ts +173 -0
package/src/verify/linters/checkstyle.ts +41 -0
package/src/verify/linters/dotnet-format.ts +37 -0
package/src/verify/pipeline.ts +20 -2
package/src/verify/syntax-guard.ts +8 -0
package/src/verify/typecheck.ts +178 -0
package/src/verify/zap.ts +189 -0

package/src/verify/pipeline.ts CHANGED Viewed

@@ -19,6 +19,7 @@ import { detectLanguages } from "../language/detect";
 import type { LanguageId } from "../language/profile";
 import { getProfile } from "../language/profile";
 import { type AIReviewResult, runAIReview } from "./ai-review";
+import { checkConsistency } from "./consistency";
 import { runCoverage } from "./coverage";
 import type { DetectedTool } from "./detect";
 import { detectTools } from "./detect";
@@ -32,6 +33,7 @@ import { runSonar } from "./sonar";
 import type { SyntaxDiagnostic } from "./syntax-guard";
 import { syntaxGuard } from "./syntax-guard";
 import { runTrivy } from "./trivy";
+import { runTypecheck } from "./typecheck";
 // ─── Types ────────────────────────────────────────────────────────────────
@@ -223,10 +225,26 @@ export async function runPipeline(
 		),
 	);
+	// Built-in checks (always run, no external tool dependency)
+	toolPromises.push(
+		runToolWithTiming("typecheck", async () => {
+			const result = await runTypecheck(files, cwd, { language: primaryLang });
+			return { findings: result.findings, skipped: result.skipped };
+		}),
+	);
+	toolPromises.push(
+		runToolWithTiming("consistency", async () => {
+			const result = await checkConsistency(files, cwd, mainaDir);
+			return { findings: result.findings, skipped: false };
+		}),
+	);
 	const toolReports = await Promise.all(toolPromises);
 	// ── Step 4b: Warn if all external tools were skipped ─────────────────
-	const externalTools = toolReports.filter((r) => r.tool !== "slop");
+	const builtInTools = new Set(["slop", "typecheck", "consistency"]);
+	const externalTools = toolReports.filter((r) => !builtInTools.has(r.tool));
 	const allExternalSkipped =
 		externalTools.length > 0 && externalTools.every((r) => r.skipped);
@@ -242,7 +260,7 @@ export async function runPipeline(
 			tool: "pipeline",
 			file: "",
 			line: 0,
-			message: `No external verification tools ran (${skippedNames} skipped). Run \`maina doctor\` to check tool health or \`maina init\` to configure.`,
+			message: `WARNING: No external verification tools detected (${skippedNames} skipped). Built-in checks (typecheck, consistency, slop) still ran. Run \`maina init --install\` to add external tools.`,
 			severity: "warning",
 		});
 	}

package/src/verify/syntax-guard.ts CHANGED Viewed

@@ -13,7 +13,9 @@ import { join } from "node:path";
 import type { Result } from "../db/index";
 import type { LanguageProfile } from "../language/profile";
 import { TYPESCRIPT_PROFILE } from "../language/profile";
+import { parseCheckstyleOutput } from "./linters/checkstyle";
 import { parseClippyOutput } from "./linters/clippy";
+import { parseDotnetFormatOutput } from "./linters/dotnet-format";
 import { parseGoVetOutput } from "./linters/go-vet";
 import { parseRuffOutput } from "./linters/ruff";
@@ -225,6 +227,12 @@ async function runLanguageLinter(
 			case "rust":
 				diagnostics = parseClippyOutput(stdout);
 				break;
+			case "csharp":
+				diagnostics = parseDotnetFormatOutput(stdout);
+				break;
+			case "java":
+				diagnostics = parseCheckstyleOutput(stdout);
+				break;
 		}
 		const errors = diagnostics.filter((d) => d.severity === "error");

package/src/verify/typecheck.ts ADDED Viewed

@@ -0,0 +1,178 @@
+/**
+ * Built-in Type Checking — runs language-native type checkers as a verify step.
+ *
+ * Zero external tool install required for TypeScript projects (uses project's tsc).
+ * For other languages: mypy (Python), go vet (Go), cargo check (Rust),
+ * dotnet build (C#), javac (Java).
+ */
+import { existsSync } from "node:fs";
+import { join } from "node:path";
+import type { LanguageId } from "../language/profile";
+import type { Finding } from "./diff-filter";
+// ─── Types ────────────────────────────────────────────────────────────────
+export interface TypecheckResult {
+	findings: Finding[];
+	duration: number;
+	tool: string;
+	skipped: boolean;
+}
+export interface TypecheckCommand {
+	tool: string;
+	command: string;
+	args: string[];
+	configFile?: string;
+}
+// ─── Language-specific commands ───────────────────────────────────────────
+const TYPECHECK_COMMANDS: Record<LanguageId, TypecheckCommand> = {
+	typescript: {
+		tool: "tsc",
+		command: "tsc",
+		args: ["--noEmit", "--pretty", "false"],
+		configFile: "tsconfig.json",
+	},
+	python: {
+		tool: "mypy",
+		command: "mypy",
+		args: ["--no-color-output", "--no-error-summary"],
+	},
+	go: {
+		tool: "go-vet",
+		command: "go",
+		args: ["vet", "./..."],
+	},
+	rust: {
+		tool: "cargo-check",
+		command: "cargo",
+		args: ["check", "--message-format=short"],
+	},
+	csharp: {
+		tool: "dotnet-build",
+		command: "dotnet",
+		args: ["build", "--no-restore", "--verbosity", "quiet"],
+	},
+	java: {
+		tool: "javac",
+		command: "javac",
+		args: ["-Xlint:all"],
+	},
+	php: {
+		tool: "phpstan",
+		command: "phpstan",
+		args: ["analyse", "--error-format=json", "--no-progress"],
+	},
+};
+export function getTypecheckCommand(language: LanguageId): TypecheckCommand {
+	return TYPECHECK_COMMANDS[language];
+}
+// ─── TSC Output Parser ───────────────────────────────────────────────────
+/**
+ * Parse tsc --noEmit --pretty false output into Finding[].
+ *
+ * Format: file(line,col): error TSxxxx: message
+ */
+export function parseTscOutput(output: string): Finding[] {
+	if (!output.trim()) return [];
+	const findings: Finding[] = [];
+	const pattern =
+		/^(.+?)\((\d+),(\d+)\):\s+(error|warning)\s+(TS\d+):\s+(.+)$/gm;
+	for (const match of output.matchAll(pattern)) {
+		findings.push({
+			tool: "tsc",
+			file: match[1] ?? "",
+			line: Number.parseInt(match[2] ?? "0", 10),
+			column: Number.parseInt(match[3] ?? "0", 10),
+			message: `${match[5] ?? ""}: ${match[6] ?? ""}`,
+			severity: match[4] === "error" ? "error" : "warning",
+			ruleId: match[5] ?? "",
+		});
+	}
+	return findings;
+}
+// ─── Runner ──────────────────────────────────────────────────────────────
+export async function runTypecheck(
+	files: string[],
+	cwd: string,
+	options?: { command?: string; language?: LanguageId },
+): Promise<TypecheckResult> {
+	const language = options?.language ?? "typescript";
+	const cmd = TYPECHECK_COMMANDS[language];
+	const start = performance.now();
+	// Check config file exists (e.g., tsconfig.json for TS)
+	if (cmd.configFile && !existsSync(join(cwd, cmd.configFile))) {
+		return {
+			findings: [],
+			duration: performance.now() - start,
+			tool: cmd.tool,
+			skipped: true,
+		};
+	}
+	// Resolve command: check node_modules/.bin first (for tsc, mypy, etc.)
+	const localBin = join(cwd, "node_modules", ".bin", cmd.command);
+	const command =
+		options?.command ?? (existsSync(localBin) ? localBin : cmd.command);
+	try {
+		const proc = Bun.spawn([command, ...cmd.args], {
+			cwd,
+			stdout: "pipe",
+			stderr: "pipe",
+			env: { ...process.env, NO_COLOR: "1" },
+		});
+		const stdout = await new Response(proc.stdout).text();
+		const stderr = await new Response(proc.stderr).text();
+		await proc.exited;
+		const output = stdout + stderr;
+		let findings: Finding[];
+		if (language === "typescript") {
+			findings = parseTscOutput(output);
+		} else {
+			// For other languages, treat any non-zero exit as a generic finding
+			findings =
+				proc.exitCode !== 0 && output.trim()
+					? [
+							{
+								tool: cmd.tool,
+								file: files[0] ?? "unknown",
+								line: 1,
+								message: output.trim().split("\n")[0] ?? "Type check failed",
+								severity: "error" as const,
+							},
+						]
+					: [];
+		}
+		return {
+			findings,
+			duration: performance.now() - start,
+			tool: cmd.tool,
+			skipped: false,
+		};
+	} catch {
+		// Command not found or other spawn error
+		return {
+			findings: [],
+			duration: performance.now() - start,
+			tool: cmd.tool,
+			skipped: true,
+		};
+	}
+}

package/src/verify/zap.ts ADDED Viewed

@@ -0,0 +1,189 @@
+/**
+ * ZAP DAST Integration for the Verify Engine.
+ *
+ * Runs OWASP ZAP baseline scan via Docker against a target URL.
+ * Parses JSON output into the unified Finding type.
+ * Gracefully skips if Docker is not available or no target URL configured.
+ */
+import { isToolAvailable } from "./detect";
+import type { Finding } from "./diff-filter";
+// ─── Types ────────────────────────────────────────────────────────────────
+export interface ZapOptions {
+	targetUrl: string;
+	cwd: string;
+	/** Pre-resolved availability — skips redundant detection if provided. */
+	available?: boolean;
+}
+export interface ZapResult {
+	findings: Finding[];
+	skipped: boolean;
+}
+// ─── JSON Parsing ─────────────────────────────────────────────────────────
+/**
+ * Map ZAP risk description to unified severity.
+ *
+ * ZAP riskdesc format: "High (Medium)", "Medium (Low)", "Low (Medium)", etc.
+ * We extract the first word (risk level) to map severity.
+ */
+function mapZapRisk(riskdesc: string): "error" | "warning" | "info" {
+	const risk = riskdesc.split(" ")[0]?.toLowerCase() ?? "";
+	switch (risk) {
+		case "high":
+			return "error";
+		case "medium":
+			return "warning";
+		case "low":
+		case "informational":
+			return "info";
+		default:
+			return "warning";
+	}
+}
+/**
+ * Parse ZAP JSON output into Finding[].
+ *
+ * ZAP JSON baseline report has this structure:
+ * ```json
+ * {
+ *   "site": [{
+ *     "alerts": [{
+ *       "pluginid": "10021",
+ *       "alert": "X-Content-Type-Options Header Missing",
+ *       "riskdesc": "Low (Medium)",
+ *       "desc": "The Anti-MIME-Sniffing header is not set.",
+ *       "instances": [{
+ *         "uri": "https://example.com/api/health",
+ *         "method": "GET"
+ *       }]
+ *     }]
+ *   }]
+ * }
+ * ```
+ *
+ * Each alert may have multiple instances (URLs). We create one Finding per
+ * instance. If an alert has no instances, we still emit one Finding with
+ * an empty file.
+ *
+ * Handles malformed JSON and unexpected structures gracefully.
+ */
+export function parseZapJson(json: string): Finding[] {
+	let parsed: Record<string, unknown>;
+	try {
+		parsed = JSON.parse(json) as Record<string, unknown>;
+	} catch {
+		return [];
+	}
+	const sites = parsed.site;
+	if (!Array.isArray(sites)) {
+		return [];
+	}
+	const findings: Finding[] = [];
+	for (const site of sites) {
+		const s = site as Record<string, unknown>;
+		const alerts = s.alerts;
+		if (!Array.isArray(alerts)) {
+			continue;
+		}
+		for (const alert of alerts) {
+			const a = alert as Record<string, unknown>;
+			const pluginId = (a.pluginid as string) ?? undefined;
+			const alertName = (a.alert as string) ?? "";
+			const riskdesc = (a.riskdesc as string) ?? "Informational";
+			const desc = (a.desc as string) ?? "";
+			const instances = a.instances;
+			const severity = mapZapRisk(riskdesc);
+			const message = `${alertName}: ${desc}`;
+			if (Array.isArray(instances) && instances.length > 0) {
+				for (const instance of instances) {
+					const inst = instance as Record<string, unknown>;
+					const uri = (inst.uri as string) ?? "";
+					findings.push({
+						tool: "zap",
+						file: uri,
+						line: 0,
+						message,
+						severity,
+						ruleId: pluginId,
+					});
+				}
+			} else {
+				findings.push({
+					tool: "zap",
+					file: "",
+					line: 0,
+					message,
+					severity,
+					ruleId: pluginId,
+				});
+			}
+		}
+	}
+	return findings;
+}
+// ─── Runner ───────────────────────────────────────────────────────────────
+/**
+ * Run ZAP baseline scan via Docker and return parsed findings.
+ *
+ * If Docker is not available or no targetUrl is configured,
+ * returns `{ findings: [], skipped: true }`.
+ * If ZAP fails, returns `{ findings: [], skipped: false }`.
+ */
+export async function runZap(options: ZapOptions): Promise<ZapResult> {
+	if (!options.targetUrl) {
+		return { findings: [], skipped: true };
+	}
+	const toolAvailable = options.available ?? (await isToolAvailable("zap"));
+	if (!toolAvailable) {
+		return { findings: [], skipped: true };
+	}
+	const cwd = options.cwd;
+	const args = [
+		"docker",
+		"run",
+		"--rm",
+		"zaproxy/zap-stable",
+		"zap-baseline.py",
+		"-t",
+		options.targetUrl,
+		"-J",
+		"report.json",
+	];
+	try {
+		const proc = Bun.spawn(args, {
+			cwd,
+			stdout: "pipe",
+			stderr: "pipe",
+		});
+		const stdout = await new Response(proc.stdout).text();
+		await new Response(proc.stderr).text();
+		await proc.exited;
+		const findings = parseZapJson(stdout);
+		return { findings, skipped: false };
+	} catch {
+		return { findings: [], skipped: false };
+	}
+}