@massu/core 0.1.0 → 0.1.1

package/src/__tests__/schema-mapper.test.ts

@@ -0,0 +1,29 @@
+// Copyright (c) 2026 Massu. All rights reserved.
+// Licensed under BSL 1.1 - see LICENSE file for details.
+
+import { describe, it, expect } from 'vitest';
+import { existsSync } from 'fs';
+import { parsePrismaSchema } from '../schema-mapper.ts';
+import { getResolvedPaths } from '../config.ts';
+
+const schemaExists = existsSync(getResolvedPaths().prismaSchemaPath);
+
+describe('parsePrismaSchema', () => {
+  it('parses the Prisma schema file', () => {
+    if (!schemaExists) {
+      // No schema in this project - verify it throws gracefully
+      expect(() => parsePrismaSchema()).toThrow('Prisma schema not found');
+      return;
+    }
+    const models = parsePrismaSchema();
+    expect(models.length).toBeGreaterThan(0);
+  });
+
+  it('finds models with fields', () => {
+    if (!schemaExists) return;
+    const models = parsePrismaSchema();
+    for (const model of models) {
+      expect(model.fields.length).toBeGreaterThan(0);
+    }
+  });
+});

package/src/__tests__/security-scorer.test.ts

@@ -0,0 +1,238 @@
+// Copyright (c) 2026 Massu. All rights reserved.
+// Licensed under BSL 1.1 - see LICENSE file for details.
+
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import Database from 'better-sqlite3';
+import { writeFileSync, mkdirSync, rmSync } from 'fs';
+import { join } from 'path';
+import {
+  getSecurityToolDefinitions,
+  isSecurityTool,
+  scoreFileSecurity,
+  storeSecurityScore,
+  handleSecurityToolCall,
+} from '../security-scorer.ts';
+
+function createTestDb(): Database.Database {
+  const db = new Database(':memory:');
+  db.exec(`
+    CREATE TABLE security_scores (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      session_id TEXT NOT NULL,
+      file_path TEXT NOT NULL,
+      risk_score INTEGER NOT NULL DEFAULT 0,
+      findings TEXT,
+      created_at TEXT DEFAULT (datetime('now'))
+    );
+
+    CREATE TABLE sessions (
+      session_id TEXT PRIMARY KEY,
+      status TEXT,
+      started_at_epoch INTEGER
+    );
+  `);
+  return db;
+}
+
+describe('security-scorer', () => {
+  let db: Database.Database;
+  const testDir = '/tmp/security-scorer-test';
+
+  beforeEach(() => {
+    db = createTestDb();
+    try {
+      rmSync(testDir, { recursive: true, force: true });
+    } catch { /* ignore */ }
+    mkdirSync(testDir, { recursive: true });
+  });
+
+  afterEach(() => {
+    db.close();
+    try {
+      rmSync(testDir, { recursive: true, force: true });
+    } catch { /* ignore */ }
+  });
+
+  describe('getSecurityToolDefinitions', () => {
+    it('returns 3 tool definitions', () => {
+      const tools = getSecurityToolDefinitions();
+      expect(tools).toHaveLength(3);
+      expect(tools.map(t => t.name.split('_').slice(-2).join('_'))).toEqual([
+        'security_score',
+        'security_heatmap',
+        'security_trend',
+      ]);
+    });
+
+    it('has required fields in tool definitions', () => {
+      const tools = getSecurityToolDefinitions();
+      tools.forEach(tool => {
+        expect(tool.name).toBeTruthy();
+        expect(tool.description).toBeTruthy();
+        expect(tool.inputSchema).toBeDefined();
+      });
+    });
+  });
+
+  describe('isSecurityTool', () => {
+    it('returns true for security tool names', () => {
+      expect(isSecurityTool('massu_security_score')).toBe(true);
+      expect(isSecurityTool('massu_security_heatmap')).toBe(true);
+      expect(isSecurityTool('massu_security_trend')).toBe(true);
+    });
+
+    it('returns false for non-security tool names', () => {
+      expect(isSecurityTool('massu_adr_list')).toBe(false);
+      expect(isSecurityTool('massu_unknown')).toBe(false);
+    });
+  });
+
+  describe('scoreFileSecurity', () => {
+    it('returns 0 for non-existent file', () => {
+      const result = scoreFileSecurity('nonexistent.ts', testDir);
+      expect(result.riskScore).toBe(0);
+      expect(result.findings).toEqual([]);
+    });
+
+    it('detects hardcoded credentials', () => {
+      const filePath = join(testDir, 'test.ts');
+      writeFileSync(filePath, `const api_key = "sk-1234567890abcdef";\n`);
+
+      const result = scoreFileSecurity(filePath, testDir);
+      expect(result.riskScore).toBeGreaterThan(0);
+      expect(result.findings.length).toBeGreaterThan(0);
+      expect(result.findings[0].severity).toBe('critical');
+      expect(result.findings[0].description).toContain('credential');
+    });
+
+    it('detects publicProcedure.mutation vulnerability', () => {
+      const filePath = join(testDir, 'router.ts');
+      writeFileSync(filePath, `export const router = publicProcedure.mutation(async () => {});\n`);
+
+      const result = scoreFileSecurity(filePath, testDir);
+      expect(result.riskScore).toBeGreaterThan(0);
+      const mutation = result.findings.find(f => f.description.includes('Mutation without authentication'));
+      expect(mutation).toBeDefined();
+      expect(mutation?.severity).toBe('critical');
+    });
+
+    it('detects eval usage', () => {
+      const filePath = join(testDir, 'dangerous.ts');
+      writeFileSync(filePath, `const result = eval(userInput);\n`);
+
+      const result = scoreFileSecurity(filePath, testDir);
+      expect(result.riskScore).toBeGreaterThan(0);
+      const evalFinding = result.findings.find(f => f.description.includes('eval()'));
+      expect(evalFinding).toBeDefined();
+      expect(evalFinding?.severity).toBe('high');
+    });
+
+    it('detects dangerouslySetInnerHTML in tsx files', () => {
+      const filePath = join(testDir, 'component.tsx');
+      writeFileSync(filePath, `<div dangerouslySetInnerHTML={{ __html: html }} />\n`);
+
+      const result = scoreFileSecurity(filePath, testDir);
+      expect(result.riskScore).toBeGreaterThan(0);
+      const xss = result.findings.find(f => f.description.includes('XSS risk'));
+      expect(xss).toBeDefined();
+      expect(xss?.severity).toBe('high');
+    });
+
+    it('returns 0 for clean file', () => {
+      const filePath = join(testDir, 'clean.ts');
+      writeFileSync(filePath, `export function add(a: number, b: number) { return a + b; }\n`);
+
+      const result = scoreFileSecurity(filePath, testDir);
+      expect(result.riskScore).toBe(0);
+      expect(result.findings).toEqual([]);
+    });
+
+    it('caps risk score at 100', () => {
+      const filePath = join(testDir, 'critical.ts');
+      writeFileSync(filePath, `
+        const password = "hardcoded-secret-12345";
+        const token = "sk-1234567890abcdef";
+        const apiKey = "another-secret-key-abc";
+        publicProcedure.mutation(async () => {});
+        eval(userInput);
+        exec(\`rm -rf \${dir}\`);
+      `);
+
+      const result = scoreFileSecurity(filePath, testDir);
+      expect(result.riskScore).toBeLessThanOrEqual(100);
+    });
+
+    it('blocks path traversal attacks', () => {
+      const result = scoreFileSecurity('../../../etc/passwd', testDir);
+      expect(result.riskScore).toBe(100);
+      expect(result.findings[0].severity).toBe('critical');
+      expect(result.findings[0].description).toContain('Path traversal blocked');
+    });
+  });
+
+  describe('storeSecurityScore', () => {
+    it('stores security score in database', () => {
+      storeSecurityScore(db, 'session-123', 'src/test.ts', 42, [
+        { pattern: 'test', severity: 'high', line: 10, description: 'Test finding' },
+      ]);
+
+      const row = db.prepare('SELECT * FROM security_scores WHERE session_id = ?').get('session-123') as Record<string, unknown>;
+      expect(row.file_path).toBe('src/test.ts');
+      expect(row.risk_score).toBe(42);
+
+      const findings = JSON.parse(row.findings as string) as Array<Record<string, unknown>>;
+      expect(findings).toHaveLength(1);
+      expect(findings[0].description).toBe('Test finding');
+    });
+  });
+
+  describe('handleSecurityToolCall', () => {
+    it('handles security_score for file', () => {
+      const filePath = join(testDir, 'test.ts');
+      writeFileSync(filePath, `export const x = 1;\n`);
+
+      // Create active session
+      db.prepare(`INSERT INTO sessions (session_id, status, started_at_epoch) VALUES (?, ?, ?)`).run(
+        'test-session',
+        'active',
+        Math.floor(Date.now() / 1000)
+      );
+
+      const result = handleSecurityToolCall('massu_security_score', { file_path: filePath }, db);
+      const text = result.content[0].text;
+      expect(text).toContain('Security Score');
+      expect(text).toContain(filePath);
+    });
+
+    it('handles security_heatmap with no data', () => {
+      const result = handleSecurityToolCall('massu_security_heatmap', {}, db);
+      const text = result.content[0].text;
+      expect(text).toContain('No files with risk score');
+    });
+
+    it('handles security_heatmap with threshold', () => {
+      storeSecurityScore(db, 'session-1', 'file1.ts', 50, []);
+      storeSecurityScore(db, 'session-1', 'file2.ts', 80, []);
+      storeSecurityScore(db, 'session-1', 'file3.ts', 20, []);
+
+      const result = handleSecurityToolCall('massu_security_heatmap', { threshold: 30 }, db);
+      const text = result.content[0].text;
+      expect(text).toContain('Security Heat Map');
+      expect(text).toContain('file1.ts');
+      expect(text).toContain('file2.ts');
+      expect(text).not.toContain('file3.ts');
+    });
+
+    it('handles security_trend with no data', () => {
+      const result = handleSecurityToolCall('massu_security_trend', {}, db);
+      const text = result.content[0].text;
+      expect(text).toContain('No security scan data');
+    });
+
+    it('handles unknown tool name', () => {
+      const result = handleSecurityToolCall('massu_security_unknown', {}, db);
+      const text = result.content[0].text;
+      expect(text).toContain('Unknown security tool');
+    });
+  });
+});

package/src/__tests__/security-utils.test.ts

@@ -0,0 +1,175 @@
+// Copyright (c) 2026 Massu. All rights reserved.
+// Licensed under BSL 1.1 - see LICENSE file for details.
+
+import { describe, it, expect } from 'vitest';
+import {
+  ensureWithinRoot,
+  escapeRegex,
+  safeRegex,
+  globToSafeRegex,
+  redactSensitiveContent,
+  enforceSeverityFloors,
+  MINIMUM_SEVERITY_WEIGHTS,
+} from '../security-utils.ts';
+
+describe('ensureWithinRoot', () => {
+  const root = '/projects/my-app';
+
+  it('allows paths within root', () => {
+    expect(ensureWithinRoot('src/index.ts', root)).toBe('/projects/my-app/src/index.ts');
+  });
+
+  it('allows nested paths', () => {
+    expect(ensureWithinRoot('src/lib/utils/helpers.ts', root)).toBe('/projects/my-app/src/lib/utils/helpers.ts');
+  });
+
+  it('blocks path traversal with ../', () => {
+    expect(() => ensureWithinRoot('../../etc/passwd', root)).toThrow('Path traversal blocked');
+  });
+
+  it('blocks path traversal with encoded sequences', () => {
+    expect(() => ensureWithinRoot('../../../etc/shadow', root)).toThrow('Path traversal blocked');
+  });
+
+  it('normalizes paths with ./ segments', () => {
+    expect(ensureWithinRoot('./src/../src/index.ts', root)).toBe('/projects/my-app/src/index.ts');
+  });
+
+  it('blocks traversal that resolves outside after normalization', () => {
+    expect(() => ensureWithinRoot('src/../../../../etc/passwd', root)).toThrow('Path traversal blocked');
+  });
+});
+
+describe('escapeRegex', () => {
+  it('escapes special regex characters', () => {
+    expect(escapeRegex('hello.world')).toBe('hello\\.world');
+    expect(escapeRegex('a+b*c')).toBe('a\\+b\\*c');
+    expect(escapeRegex('foo(bar)')).toBe('foo\\(bar\\)');
+  });
+
+  it('leaves normal strings unchanged', () => {
+    expect(escapeRegex('hello world')).toBe('hello world');
+  });
+
+  it('escapes all PCRE special chars', () => {
+    const special = '.*+?^${}()|[]\\';
+    const escaped = escapeRegex(special);
+    // Every char should be escaped
+    expect(escaped).toBe('\\.\\*\\+\\?\\^\\$\\{\\}\\(\\)\\|\\[\\]\\\\');
+  });
+});
+
+describe('safeRegex', () => {
+  it('compiles simple patterns', () => {
+    const re = safeRegex('hello|world');
+    expect(re).toBeInstanceOf(RegExp);
+    expect(re!.test('hello')).toBe(true);
+  });
+
+  it('rejects nested quantifiers (ReDoS)', () => {
+    expect(safeRegex('(a+)+')).toBeNull();
+    expect(safeRegex('(a*)*')).toBeNull();
+    expect(safeRegex('(a+){2,}')).toBeNull();
+  });
+
+  it('rejects excessively long patterns', () => {
+    expect(safeRegex('a'.repeat(501))).toBeNull();
+  });
+
+  it('rejects invalid regex syntax', () => {
+    expect(safeRegex('(?P<invalid')).toBeNull();
+  });
+
+  it('accepts reasonable patterns', () => {
+    expect(safeRegex('\\bctx\\.prisma\\b')).toBeInstanceOf(RegExp);
+    expect(safeRegex('import.*from')).toBeInstanceOf(RegExp);
+  });
+
+  it('supports flags', () => {
+    const re = safeRegex('hello', 'i');
+    expect(re!.test('HELLO')).toBe(true);
+  });
+});
+
+describe('globToSafeRegex', () => {
+  it('converts simple glob with single star', () => {
+    const re = globToSafeRegex('src/**/*.ts');
+    expect(re.test('src/lib/utils.ts')).toBe(true);
+    expect(re.test('src/deep/nested/file.ts')).toBe(true);
+  });
+
+  it('does not match across path separators with single star', () => {
+    const re = globToSafeRegex('src/*.ts');
+    expect(re.test('src/index.ts')).toBe(true);
+    expect(re.test('src/lib/index.ts')).toBe(false);
+  });
+
+  it('escapes special regex chars in the glob', () => {
+    const re = globToSafeRegex('src/components/(portal)/*.tsx');
+    expect(re.test('src/components/(portal)/page.tsx')).toBe(true);
+  });
+});
+
+describe('redactSensitiveContent', () => {
+  it('redacts API keys', () => {
+    expect(redactSensitiveContent('key: sk-abc123def456ghij')).toContain('[REDACTED_KEY]');
+    expect(redactSensitiveContent('token: ghp_1234567890abcdef')).toContain('[REDACTED_KEY]');
+  });
+
+  it('redacts email addresses', () => {
+    expect(redactSensitiveContent('contact user@example.com')).toContain('[REDACTED_EMAIL]');
+  });
+
+  it('redacts Bearer tokens', () => {
+    expect(redactSensitiveContent('Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.payload.sig'))
+      .toContain('[REDACTED_TOKEN]');
+  });
+
+  it('redacts absolute file paths', () => {
+    expect(redactSensitiveContent('file at /Users/john/secrets/key.pem')).toContain('[REDACTED_PATH]');
+  });
+
+  it('redacts connection strings', () => {
+    expect(redactSensitiveContent('postgres://admin:s3cret@db.host.com/mydb'))
+      .toContain('[REDACTED_CREDENTIALS]');
+  });
+
+  it('preserves non-sensitive content', () => {
+    const safe = 'This is a normal prompt about implementing a feature';
+    expect(redactSensitiveContent(safe)).toBe(safe);
+  });
+});
+
+describe('enforceSeverityFloors', () => {
+  const defaults = { critical: 25, high: 15, medium: 8, low: 3 };
+
+  it('uses config values when above floor', () => {
+    const result = enforceSeverityFloors({ critical: 30, high: 20 }, defaults);
+    expect(result.critical).toBe(30);
+    expect(result.high).toBe(20);
+  });
+
+  it('enforces minimum floors', () => {
+    const result = enforceSeverityFloors({ critical: 0, high: 0, medium: 0, low: 0 }, defaults);
+    expect(result.critical).toBe(MINIMUM_SEVERITY_WEIGHTS.critical);
+    expect(result.high).toBe(MINIMUM_SEVERITY_WEIGHTS.high);
+    expect(result.medium).toBe(MINIMUM_SEVERITY_WEIGHTS.medium);
+    expect(result.low).toBe(MINIMUM_SEVERITY_WEIGHTS.low);
+  });
+
+  it('preserves defaults for missing config keys', () => {
+    const result = enforceSeverityFloors({ critical: 50 }, defaults);
+    expect(result.critical).toBe(50);
+    expect(result.high).toBe(15); // default preserved
+    expect(result.medium).toBe(8); // default preserved
+  });
+
+  it('prevents complete disabling of security scoring', () => {
+    const result = enforceSeverityFloors(
+      { critical: 0, high: 0, medium: 0, low: 0 },
+      defaults
+    );
+    const totalWeight = Object.values(result).reduce((sum, v) => sum + v, 0);
+    expect(totalWeight).toBeGreaterThan(0);
+  });
+});