@mainahq/core 0.2.0

package/src/verify/__tests__/trivy.test.ts

@@ -0,0 +1,191 @@
+import { describe, expect, it } from "bun:test";
+import { parseTrivyJson, runTrivy } from "../trivy";
+
+// ─── parseTrivyJson ────────────────────────────────────────────────────────
+
+describe("parseTrivyJson", () => {
+	it("should return empty array for empty results", () => {
+		const json = JSON.stringify({ Results: [] });
+		const findings = parseTrivyJson(json);
+		expect(findings).toEqual([]);
+	});
+
+	it("should parse vulnerabilities from Trivy JSON output", () => {
+		const json = JSON.stringify({
+			Results: [
+				{
+					Target: "package-lock.json",
+					Type: "npm",
+					Vulnerabilities: [
+						{
+							VulnerabilityID: "CVE-2023-12345",
+							PkgName: "lodash",
+							InstalledVersion: "4.17.20",
+							FixedVersion: "4.17.21",
+							Severity: "HIGH",
+							Title: "Prototype Pollution in lodash",
+							Description: "lodash before 4.17.21 allows prototype pollution.",
+						},
+					],
+				},
+			],
+		});
+
+		const findings = parseTrivyJson(json);
+		expect(findings.length).toBe(1);
+		expect(findings[0]?.tool).toBe("trivy");
+		expect(findings[0]?.file).toBe("package-lock.json");
+		expect(findings[0]?.line).toBe(0);
+		expect(findings[0]?.severity).toBe("error");
+		expect(findings[0]?.ruleId).toBe("CVE-2023-12345");
+		expect(findings[0]?.message).toContain("lodash");
+		expect(findings[0]?.message).toContain("4.17.20");
+	});
+
+	it("should map Trivy severity levels correctly", () => {
+		const makeTrivy = (severity: string) =>
+			JSON.stringify({
+				Results: [
+					{
+						Target: "package.json",
+						Vulnerabilities: [
+							{
+								VulnerabilityID: "CVE-0000-0000",
+								PkgName: "pkg",
+								InstalledVersion: "1.0.0",
+								Severity: severity,
+								Title: "Test",
+							},
+						],
+					},
+				],
+			});
+
+		expect(parseTrivyJson(makeTrivy("CRITICAL"))[0]?.severity).toBe("error");
+		expect(parseTrivyJson(makeTrivy("HIGH"))[0]?.severity).toBe("error");
+		expect(parseTrivyJson(makeTrivy("MEDIUM"))[0]?.severity).toBe("warning");
+		expect(parseTrivyJson(makeTrivy("LOW"))[0]?.severity).toBe("info");
+		expect(parseTrivyJson(makeTrivy("UNKNOWN"))[0]?.severity).toBe("info");
+	});
+
+	it("should handle multiple targets with multiple vulnerabilities", () => {
+		const json = JSON.stringify({
+			Results: [
+				{
+					Target: "package-lock.json",
+					Vulnerabilities: [
+						{
+							VulnerabilityID: "CVE-2023-001",
+							PkgName: "pkg-a",
+							InstalledVersion: "1.0.0",
+							Severity: "HIGH",
+							Title: "Issue A",
+						},
+						{
+							VulnerabilityID: "CVE-2023-002",
+							PkgName: "pkg-b",
+							InstalledVersion: "2.0.0",
+							Severity: "LOW",
+							Title: "Issue B",
+						},
+					],
+				},
+				{
+					Target: "yarn.lock",
+					Vulnerabilities: [
+						{
+							VulnerabilityID: "CVE-2023-003",
+							PkgName: "pkg-c",
+							InstalledVersion: "3.0.0",
+							Severity: "CRITICAL",
+							Title: "Issue C",
+						},
+					],
+				},
+			],
+		});
+
+		const findings = parseTrivyJson(json);
+		expect(findings.length).toBe(3);
+		expect(findings[0]?.file).toBe("package-lock.json");
+		expect(findings[2]?.file).toBe("yarn.lock");
+	});
+
+	it("should handle targets with null vulnerabilities", () => {
+		const json = JSON.stringify({
+			Results: [
+				{
+					Target: "package.json",
+					Vulnerabilities: null,
+				},
+			],
+		});
+		const findings = parseTrivyJson(json);
+		expect(findings).toEqual([]);
+	});
+
+	it("should return empty array for invalid JSON", () => {
+		const findings = parseTrivyJson("not valid json {{{");
+		expect(findings).toEqual([]);
+	});
+
+	it("should return empty array for malformed structure", () => {
+		const findings = parseTrivyJson(JSON.stringify({ unexpected: true }));
+		expect(findings).toEqual([]);
+	});
+
+	it("should include fix version in message when available", () => {
+		const json = JSON.stringify({
+			Results: [
+				{
+					Target: "package.json",
+					Vulnerabilities: [
+						{
+							VulnerabilityID: "CVE-2023-999",
+							PkgName: "express",
+							InstalledVersion: "4.17.0",
+							FixedVersion: "4.18.0",
+							Severity: "HIGH",
+							Title: "Security issue",
+						},
+					],
+				},
+			],
+		});
+
+		const findings = parseTrivyJson(json);
+		expect(findings[0]?.message).toContain("4.18.0");
+	});
+});
+
+// ─── runTrivy ──────────────────────────────────────────────────────────────
+
+describe("runTrivy", () => {
+	it("should skip when trivy is not installed", async () => {
+		const result = await runTrivy();
+		if (result.skipped) {
+			expect(result.findings).toEqual([]);
+			expect(result.skipped).toBe(true);
+		} else {
+			expect(Array.isArray(result.findings)).toBe(true);
+			expect(result.skipped).toBe(false);
+		}
+	});
+
+	it("should return correct result shape", async () => {
+		const result = await runTrivy();
+		expect(result).toHaveProperty("findings");
+		expect(result).toHaveProperty("skipped");
+		expect(Array.isArray(result.findings)).toBe(true);
+		expect(typeof result.skipped).toBe("boolean");
+	});
+
+	it("should accept options without crashing", async () => {
+		const result = await runTrivy({
+			scanType: "fs",
+			cwd: "/tmp",
+		});
+		expect(result).toHaveProperty("findings");
+		expect(result).toHaveProperty("skipped");
+	});
+});

package/src/verify/__tests__/visual.test.ts

@@ -0,0 +1,139 @@
+import { describe, expect, it } from "bun:test";
+import { existsSync, mkdirSync, rmSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import { detectWebProject, loadVisualConfig } from "../visual";
+
+describe("detectWebProject", () => {
+	const testDir = join(import.meta.dir, "__fixtures__/visual-detect");
+
+	function setup(pkg: Record<string, unknown>) {
+		if (existsSync(testDir)) rmSync(testDir, { recursive: true });
+		mkdirSync(testDir, { recursive: true });
+		writeFileSync(join(testDir, "package.json"), JSON.stringify(pkg));
+	}
+
+	function cleanup() {
+		if (existsSync(testDir)) rmSync(testDir, { recursive: true });
+	}
+
+	it("should detect Next.js project", () => {
+		setup({ scripts: { dev: "next dev" } });
+		expect(detectWebProject(testDir)).toBe(true);
+		cleanup();
+	});
+
+	it("should detect Astro project", () => {
+		setup({ scripts: { dev: "astro dev" } });
+		expect(detectWebProject(testDir)).toBe(true);
+		cleanup();
+	});
+
+	it("should detect Vite project", () => {
+		setup({ scripts: { dev: "vite" } });
+		expect(detectWebProject(testDir)).toBe(true);
+		cleanup();
+	});
+
+	it("should detect webpack-dev-server", () => {
+		setup({ scripts: { start: "webpack serve" } });
+		expect(detectWebProject(testDir)).toBe(true);
+		cleanup();
+	});
+
+	it("should return false for non-web project", () => {
+		setup({ scripts: { start: "node server.js" } });
+		expect(detectWebProject(testDir)).toBe(false);
+		cleanup();
+	});
+
+	it("should return false when no package.json", () => {
+		if (existsSync(testDir)) rmSync(testDir, { recursive: true });
+		mkdirSync(testDir, { recursive: true });
+		expect(detectWebProject(testDir)).toBe(false);
+		cleanup();
+	});
+
+	it("should detect from devDependencies", () => {
+		setup({ devDependencies: { vite: "^5.0.0" } });
+		expect(detectWebProject(testDir)).toBe(true);
+		cleanup();
+	});
+});
+
+describe("loadVisualConfig", () => {
+	const testDir = join(import.meta.dir, "__fixtures__/visual-config");
+
+	function cleanup() {
+		if (existsSync(testDir)) rmSync(testDir, { recursive: true });
+	}
+
+	it("should return defaults when no config exists", () => {
+		cleanup();
+		mkdirSync(testDir, { recursive: true });
+		const config = loadVisualConfig(testDir);
+		expect(config.threshold).toBe(0.001);
+		expect(config.viewport.width).toBe(1280);
+		expect(config.viewport.height).toBe(720);
+		expect(config.urls).toEqual([]);
+		cleanup();
+	});
+
+	it("should load from preferences.json", () => {
+		cleanup();
+		mkdirSync(testDir, { recursive: true });
+		writeFileSync(
+			join(testDir, "preferences.json"),
+			JSON.stringify({
+				visual: {
+					urls: ["http://localhost:3000"],
+					threshold: 0.005,
+					viewport: { width: 1920, height: 1080 },
+				},
+			}),
+		);
+		const config = loadVisualConfig(testDir);
+		expect(config.urls).toEqual(["http://localhost:3000"]);
+		expect(config.threshold).toBe(0.005);
+		expect(config.viewport.width).toBe(1920);
+		cleanup();
+	});
+});
+
+describe("captureScreenshot", () => {
+	it("should return skipped when playwright is not available", async () => {
+		const { captureScreenshot } = await import("../visual");
+		const result = await captureScreenshot(
+			"http://localhost:9999",
+			"/tmp/test-screenshot.png",
+			{ available: false },
+		);
+		expect(result.captured).toBe(false);
+		expect(result.skipped).toBe(true);
+	});
+});
+
+describe("compareImages", () => {
+	it("should return 0 diff for identical images", async () => {
+		const { compareImages } = await import("../visual");
+		// Create two identical 2x2 white RGBA buffers
+		const img = Buffer.alloc(2 * 2 * 4, 255);
+		const result = compareImages(img, img, 2, 2);
+		expect(result.diffPixels).toBe(0);
+		expect(result.diffPercentage).toBe(0);
+	});
+
+	it("should detect difference between different images", async () => {
+		const { compareImages } = await import("../visual");
+		// 2x2 white image
+		const white = Buffer.alloc(2 * 2 * 4, 255);
+		// 2x2 black image
+		const black = Buffer.alloc(2 * 2 * 4, 0);
+		// Set alpha to 255 for black image
+		for (let i = 3; i < black.length; i += 4) {
+			black[i] = 255;
+		}
+		const result = compareImages(white, black, 2, 2);
+		expect(result.diffPixels).toBeGreaterThan(0);
+		expect(result.diffPercentage).toBeGreaterThan(0);
+	});
+});

package/src/verify/ai-review.ts

@@ -0,0 +1,276 @@
+/**
+ * AI Review — semantic code review using LLM.
+ *
+ * Two tiers:
+ * - mechanical (always-on): diff + referenced functions, <3s, warnings only
+ * - standard (--deep): adds spec/plan context, can emit errors
+ */
+
+import { tryAIGenerate } from "../ai/try-generate";
+import { buildCacheKey, hashContent } from "../cache/keys";
+import { createCacheManager } from "../cache/manager";
+import type { Finding } from "./diff-filter";
+
+// ─── Types ────────────────────────────────────────────────────────────────
+
+export interface ReferencedFunction {
+	name: string;
+	filePath: string;
+	body: string;
+}
+
+export interface EntityWithBody {
+	name: string;
+	kind: string;
+	startLine: number;
+	endLine: number;
+	filePath: string;
+	body: string;
+}
+
+export interface AIReviewOptions {
+	diff: string;
+	entities: EntityWithBody[];
+	deep?: boolean;
+	specContext?: string;
+	planContext?: string;
+	mainaDir: string;
+}
+
+export interface AIReviewResult {
+	findings: Finding[];
+	skipped: boolean;
+	tier: "mechanical" | "standard";
+	duration: number;
+}
+
+const MAX_REFS_PER_FILE = 3;
+
+// ─── Referenced Function Resolution ───────────────────────────────────────
+
+/**
+ * Extract function/method names called in added lines of a diff,
+ * then match them against known entities to get their bodies.
+ * Capped at MAX_REFS_PER_FILE (3) to bound token usage.
+ */
+export function resolveReferencedFunctions(
+	diff: string,
+	entities: EntityWithBody[],
+): ReferencedFunction[] {
+	// Extract added lines from diff
+	const addedLines = diff
+		.split("\n")
+		.filter((line) => line.startsWith("+") && !line.startsWith("+++"))
+		.join("\n");
+
+	if (!addedLines.trim()) return [];
+
+	// Extract identifier-like tokens that could be function calls
+	// Match word( pattern — likely a function call
+	const callPattern = /\b([a-zA-Z_$][\w$]*)\s*\(/g;
+	const calledNames = new Set<string>();
+	for (const match of addedLines.matchAll(callPattern)) {
+		if (match[1]) calledNames.add(match[1]);
+	}
+
+	// Remove common keywords that match the pattern
+	const KEYWORDS = new Set([
+		"if",
+		"for",
+		"while",
+		"switch",
+		"catch",
+		"function",
+		"return",
+		"new",
+		"typeof",
+		"instanceof",
+		"await",
+		"async",
+		"import",
+		"export",
+		"const",
+		"let",
+		"var",
+		"class",
+		"throw",
+	]);
+	for (const kw of KEYWORDS) calledNames.delete(kw);
+
+	if (calledNames.size === 0) return [];
+
+	// Match against known entities
+	const matched: ReferencedFunction[] = [];
+	for (const entity of entities) {
+		if (matched.length >= MAX_REFS_PER_FILE) break;
+		if (calledNames.has(entity.name)) {
+			matched.push({
+				name: entity.name,
+				filePath: entity.filePath,
+				body: entity.body,
+			});
+		}
+	}
+
+	return matched;
+}
+
+// ─── AI Review Runner ─────────────────────────────────────────────────────
+
+const VALID_RULE_IDS = new Set([
+	"ai-review/cross-function",
+	"ai-review/edge-case",
+	"ai-review/dead-code",
+	"ai-review/contract",
+	"ai-review/spec-compliance",
+	"ai-review/architecture",
+	"ai-review/coverage-gap",
+]);
+
+/**
+ * Parse the AI response JSON into Finding[].
+ * Returns null on any parse failure — caller should treat as skip.
+ */
+function parseAIResponse(text: string, deep: boolean): Finding[] | null {
+	try {
+		// Strip markdown fences if present
+		const cleaned = text
+			.replace(/^```json?\n?/m, "")
+			.replace(/\n?```$/m, "")
+			.trim();
+		const parsed = JSON.parse(cleaned);
+
+		if (!parsed || !Array.isArray(parsed.findings)) return null;
+
+		const findings: Finding[] = [];
+		for (const f of parsed.findings) {
+			if (!f.file || typeof f.line !== "number" || !f.message) continue;
+
+			let severity: Finding["severity"] =
+				f.severity === "error" ? "error" : "warning";
+			// Mechanical mode caps at warning
+			if (!deep && severity === "error") severity = "warning";
+
+			const ruleId = VALID_RULE_IDS.has(f.ruleId)
+				? f.ruleId
+				: "ai-review/edge-case";
+
+			findings.push({
+				tool: "ai-review",
+				file: f.file,
+				line: f.line,
+				message: f.message,
+				severity,
+				ruleId,
+			});
+		}
+
+		return findings;
+	} catch {
+		return null;
+	}
+}
+
+/**
+ * Run AI review on a diff.
+ *
+ * - mechanical (default): uses "code-review" task → mechanical tier model, caps at warning
+ * - standard (deep=true): uses "deep-code-review" task → standard tier model, can emit error
+ *
+ * Gracefully skips on AI failure, host delegation, or malformed response.
+ */
+export async function runAIReview(
+	options: AIReviewOptions,
+): Promise<AIReviewResult> {
+	const start = performance.now();
+	const {
+		diff,
+		entities,
+		deep = false,
+		specContext,
+		planContext,
+		mainaDir,
+	} = options;
+
+	if (!diff.trim()) {
+		return {
+			findings: [],
+			skipped: true,
+			tier: deep ? "standard" : "mechanical",
+			duration: 0,
+		};
+	}
+
+	// Resolve referenced functions from entities
+	const refs = resolveReferencedFunctions(diff, entities);
+	const refsText =
+		refs.length > 0
+			? refs
+					.map(
+						(r) =>
+							`### ${r.name} (${r.filePath})\n\`\`\`typescript\n${r.body}\n\`\`\``,
+					)
+					.join("\n\n")
+			: "None found.";
+
+	const task = deep ? "deep-code-review" : "code-review";
+	const reviewMode = deep
+		? "deep — check everything including spec compliance. May emit error severity."
+		: "mechanical — check cross-function consistency and edge cases only. All findings are warning severity.";
+
+	// ── Cache check ──────────────────────────────────────────────────────
+	const cacheKey = await buildCacheKey({
+		task,
+		extra: hashContent(diff + refsText),
+	});
+
+	const cache = createCacheManager(mainaDir);
+	const cached = cache.get(cacheKey);
+	if (cached) {
+		try {
+			const findings = JSON.parse(cached.value) as Finding[];
+			const duration = Math.round(performance.now() - start);
+			return {
+				findings,
+				skipped: false,
+				tier: deep ? "standard" : "mechanical",
+				duration,
+			};
+		} catch {
+			// Corrupted cache entry — fall through to AI
+		}
+	}
+
+	// ── AI call ──────────────────────────────────────────────────────────
+	const variables: Record<string, string> = {
+		diff,
+		referencedFunctions: refsText,
+		reviewMode,
+	};
+
+	if (deep && specContext) variables.specContext = specContext;
+	if (deep && planContext) variables.planContext = planContext;
+
+	const userPrompt = `Review this diff for semantic issues:\n\n${diff}`;
+
+	const aiResult = await tryAIGenerate(task, mainaDir, variables, userPrompt);
+
+	const duration = Math.round(performance.now() - start);
+	const tier = deep ? "standard" : "mechanical";
+
+	// Host delegation or no AI → skip (no cache entry per spec)
+	if (!aiResult.text || aiResult.hostDelegation) {
+		return { findings: [], skipped: true, tier, duration };
+	}
+
+	// Parse response
+	const findings = parseAIResponse(aiResult.text, deep);
+	if (findings === null) {
+		return { findings: [], skipped: true, tier, duration };
+	}
+
+	// Cache successful result
+	cache.set(cacheKey, JSON.stringify(findings));
+
+	return { findings, skipped: false, tier, duration };
+}