@massu/core 0.1.0 → 0.1.2

package/src/rules.ts

@@ -0,0 +1,57 @@
+// Copyright (c) 2026 Massu. All rights reserved.
+// Licensed under BSL 1.1 - see LICENSE file for details.
+
+import { getConfig } from './config.ts';
+
+export interface PatternRule {
+  /** Glob pattern to match file paths against */
+  match: string;
+  /** List of rules that apply to matched files */
+  rules: string[];
+  /** Severity: CRITICAL rules are schema mismatches or Edge Runtime violations */
+  severity?: 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW';
+  /** Pattern file to reference for details */
+  patternFile?: string;
+}
+
+/**
+ * Get pattern rules from config.
+ * Converts the config format (pattern/rules) to the internal PatternRule format.
+ */
+function getPatternRules(): PatternRule[] {
+  return getConfig().rules.map((r) => ({
+    match: r.pattern,
+    rules: r.rules,
+  }));
+}
+
+/**
+ * Match a file path against all pattern rules and return applicable rules.
+ */
+export function matchRules(filePath: string): PatternRule[] {
+  const normalized = filePath.replace(/\\/g, '/');
+  const rules = getPatternRules();
+  return rules.filter((rule) => globMatch(normalized, rule.match));
+}
+
+/**
+ * Simple glob matching for pattern rules.
+ * Supports **, *, and ? wildcards.
+ */
+export function globMatch(filePath: string, pattern: string): boolean {
+  // Convert glob to regex using placeholders to avoid replacement conflicts
+  let regexStr = pattern
+    .replace(/\*\*\//g, '\0GLOBSTARSLASH\0')  // **/ placeholder
+    .replace(/\*\*/g, '\0GLOBSTAR\0')          // ** placeholder
+    .replace(/\*/g, '\0STAR\0')                // * placeholder
+    .replace(/\?/g, '\0QUESTION\0')            // ? placeholder
+    .replace(/\./g, '\\.')                      // escape dots
+    .replace(/\0GLOBSTARSLASH\0/g, '(?:.*/)?') // **/ = zero or more directories
+    .replace(/\0GLOBSTAR\0/g, '.*')            // ** = anything
+    .replace(/\0STAR\0/g, '[^/]*')             // * = non-slash chars
+    .replace(/\0QUESTION\0/g, '.');            // ? = single char
+
+  // Anchor pattern
+  const regex = new RegExp(`(^|/)${regexStr}($|/)`);
+  return regex.test(filePath);
+}

package/src/schema-mapper.ts

@@ -0,0 +1,232 @@
+// Copyright (c) 2026 Massu. All rights reserved.
+// Licensed under BSL 1.1 - see LICENSE file for details.
+
+import { readFileSync, existsSync, readdirSync } from 'fs';
+import { resolve, join } from 'path';
+import { getConfig, getResolvedPaths, getProjectRoot } from './config.ts';
+
+export interface SchemaModel {
+  name: string;
+  tableName: string;
+  fields: SchemaField[];
+}
+
+export interface SchemaField {
+  name: string;
+  type: string;
+  nullable: boolean;
+  isRelation: boolean;
+}
+
+export interface ColumnUsage {
+  file: string;
+  line: number;
+  usage: string;
+}
+
+export interface SchemaMismatch {
+  table: string;
+  codeColumn: string;
+  actualColumns: string[];
+  files: string[];
+  severity: 'CRITICAL' | 'HIGH';
+}
+
+/**
+ * Parse the Prisma schema file and extract all models with their fields.
+ */
+export function parsePrismaSchema(): SchemaModel[] {
+  const schemaPath = getResolvedPaths().prismaSchemaPath;
+  if (!existsSync(schemaPath)) {
+    throw new Error(`Prisma schema not found at ${schemaPath}`);
+  }
+
+  const source = readFileSync(schemaPath, 'utf-8');
+  const models: SchemaModel[] = [];
+  const sourceLines = source.split('\n');
+
+  // Parse models by tracking brace depth instead of regex
+  let i = 0;
+  while (i < sourceLines.length) {
+    const line = sourceLines[i].trim();
+    const modelMatch = line.match(/^model\s+(\w+)\s*\{/);
+
+    if (modelMatch) {
+      const modelName = modelMatch[1];
+      const fields: SchemaField[] = [];
+      let braceDepth = 1;
+      i++;
+
+      const bodyLines: string[] = [];
+      while (i < sourceLines.length && braceDepth > 0) {
+        const bodyLine = sourceLines[i];
+        for (const ch of bodyLine) {
+          if (ch === '{') braceDepth++;
+          if (ch === '}') braceDepth--;
+        }
+        if (braceDepth > 0) {
+          bodyLines.push(bodyLine);
+        }
+        i++;
+      }
+
+      for (const bodyLine of bodyLines) {
+        const trimmed = bodyLine.trim();
+        if (!trimmed || trimmed.startsWith('//') || trimmed.startsWith('@@')) continue;
+
+        // Parse field: fieldName Type? @annotations
+        // Must handle large whitespace padding in the schema
+        const fieldMatch = trimmed.match(/^(\w+)\s+(\w+)(\?)?(\[\])?\s*(.*)?$/);
+        if (fieldMatch) {
+          const fieldName = fieldMatch[1];
+          const fieldType = fieldMatch[2];
+          const nullable = !!fieldMatch[3];
+          const annotations = fieldMatch[5] || '';
+
+          // Skip @relation fields (they're virtual)
+          const isRelation = annotations.includes('@relation') || fieldType[0] === fieldType[0].toUpperCase() && !['String', 'Int', 'Float', 'Boolean', 'DateTime', 'Json', 'Decimal', 'BigInt', 'Bytes'].includes(fieldType);
+
+          fields.push({
+            name: fieldName,
+            type: fieldType + (fieldMatch[4] || '') + (nullable ? '?' : ''),
+            nullable,
+            isRelation,
+          });
+        }
+      }
+
+      // Derive table name from @@map or use model name directly (Prisma convention)
+      const body = bodyLines.join('\n');
+      const mapMatch = body.match(/@@map\("([^"]+)"\)/);
+      const tableName = mapMatch ? mapMatch[1] : toSnakeCase(modelName);
+
+      models.push({ name: modelName, tableName, fields });
+    } else {
+      i++;
+    }
+  }
+
+  return models;
+}
+
+function toSnakeCase(str: string): string {
+  return str
+    .replace(/([A-Z])/g, '_$1')
+    .toLowerCase()
+    .replace(/^_/, '');
+}
+
+/**
+ * Find all references to a table's columns in router files.
+ */
+export function findColumnUsageInRouters(tableName: string): Map<string, ColumnUsage[]> {
+  const usage = new Map<string, ColumnUsage[]>();
+  const routersDir = getResolvedPaths().routersDir;
+
+  if (!existsSync(routersDir)) return usage;
+
+  scanDirectory(routersDir, tableName, usage);
+  return usage;
+}
+
+function scanDirectory(dir: string, tableName: string, usage: Map<string, ColumnUsage[]>): void {
+  const entries = readdirSync(dir, { withFileTypes: true });
+  for (const entry of entries) {
+    const fullPath = join(dir, entry.name);
+    if (entry.isDirectory()) {
+      scanDirectory(fullPath, tableName, usage);
+    } else if (entry.name.endsWith('.ts')) {
+      scanFile(fullPath, tableName, usage);
+    }
+  }
+}
+
+function scanFile(absPath: string, tableName: string, usage: Map<string, ColumnUsage[]>): void {
+  try {
+    const source = readFileSync(absPath, 'utf-8');
+
+    // Check if this file references the table
+    if (!source.includes(tableName)) return;
+
+    const relPath = absPath.slice(getProjectRoot().length + 1);
+    const lines = source.split('\n');
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+
+      // Look for property access patterns: tableName.columnName or { columnName: ... } near table references
+      // Pattern 1: where: { columnName: value }
+      const whereMatch = line.match(/(\w+)\s*:\s*(?:\{|[^,}]+)/g);
+      if (whereMatch) {
+        for (const m of whereMatch) {
+          const colName = m.split(':')[0].trim();
+          if (colName && !['where', 'data', 'select', 'orderBy', 'include', 'const', 'let', 'return', 'if', 'else', 'async', 'await'].includes(colName)) {
+            if (!usage.has(colName)) usage.set(colName, []);
+            usage.get(colName)!.push({ file: relPath, line: i + 1, usage: line.trim() });
+          }
+        }
+      }
+    }
+  } catch {
+    // Skip unreadable
+  }
+}
+
+/**
+ * Detect column name mismatches between code and schema.
+ */
+export function detectMismatches(models: SchemaModel[]): SchemaMismatch[] {
+  const mismatches: SchemaMismatch[] = [];
+
+  const knownMismatches = getConfig().knownMismatches ?? {};
+
+  for (const [tableName, wrongColumns] of Object.entries(knownMismatches)) {
+    const model = models.find(m => m.tableName === tableName);
+    if (!model) continue;
+
+    const actualColumnNames = model.fields.map(f => f.name);
+
+    for (const [wrongCol, correctCol] of Object.entries(wrongColumns)) {
+      // Search for the wrong column name in code
+      const routersDir = getResolvedPaths().routersDir;
+      const files = findFilesUsingColumn(routersDir, wrongCol, tableName);
+
+      if (files.length > 0) {
+        mismatches.push({
+          table: tableName,
+          codeColumn: wrongCol,
+          actualColumns: actualColumnNames,
+          files,
+          severity: 'CRITICAL',
+        });
+      }
+    }
+  }
+
+  return mismatches;
+}
+
+function findFilesUsingColumn(dir: string, column: string, tableName: string): string[] {
+  const result: string[] = [];
+  if (!existsSync(dir)) return result;
+
+  const entries = readdirSync(dir, { withFileTypes: true });
+  for (const entry of entries) {
+    const fullPath = join(dir, entry.name);
+    if (entry.isDirectory()) {
+      result.push(...findFilesUsingColumn(fullPath, column, tableName));
+    } else if (entry.name.endsWith('.ts')) {
+      try {
+        const source = readFileSync(fullPath, 'utf-8');
+        // Only flag if both the table name and wrong column are in the file
+        if (source.includes(tableName) && source.includes(column)) {
+          result.push(fullPath.slice(getProjectRoot().length + 1));
+        }
+      } catch {
+        // Skip
+      }
+    }
+  }
+
+  return result;
+}

package/src/security-scorer.ts

@@ -0,0 +1,405 @@
+// Copyright (c) 2026 Massu. All rights reserved.
+// Licensed under BSL 1.1 - see LICENSE file for details.
+
+import type Database from 'better-sqlite3';
+import type { ToolDefinition, ToolResult } from './tools.ts';
+import { getConfig } from './config.ts';
+import { existsSync, readFileSync } from 'fs';
+import { ensureWithinRoot, enforceSeverityFloors } from './security-utils.ts';
+
+// ============================================================
+// Security Risk Scoring
+// ============================================================
+
+/** Prefix a base tool name with the configured tool prefix. */
+function p(baseName: string): string {
+  return `${getConfig().toolPrefix}_${baseName}`;
+}
+
+export interface SecurityFinding {
+  pattern: string;
+  severity: 'critical' | 'high' | 'medium' | 'low';
+  line: number;
+  description: string;
+}
+
+interface SecurityPattern {
+  regex: RegExp;
+  severity: SecurityFinding['severity'];
+  description: string;
+  fileFilter?: RegExp;
+}
+
+/** Default security patterns. Configurable via security.patterns in config. */
+const DEFAULT_SECURITY_PATTERNS: SecurityPattern[] = [
+  {
+    regex: /\bexec\s*\(\s*[`"'].*\$\{/,
+    severity: 'critical',
+    description: 'Potential command injection via template literal in exec()',
+  },
+  {
+    regex: /publicProcedure\s*\.\s*mutation/,
+    severity: 'critical',
+    description: 'Mutation without authentication (publicProcedure)',
+    fileFilter: /\.(ts|tsx)$/,
+  },
+  {
+    regex: /(password|secret|token|api_key)\s*[:=]\s*['"][^'"]{8,}['"]/i,
+    severity: 'critical',
+    description: 'Hardcoded credential or secret',
+  },
+  {
+    regex: /\bdangerouslySetInnerHTML\b/,
+    severity: 'high',
+    description: 'XSS risk via dangerouslySetInnerHTML',
+    fileFilter: /\.tsx$/,
+  },
+  {
+    regex: /\.raw\s*\(`/,
+    severity: 'high',
+    description: 'Raw SQL query with template literal (SQL injection risk)',
+  },
+  {
+    regex: /eval\s*\(/,
+    severity: 'high',
+    description: 'Use of eval() - code injection risk',
+  },
+  {
+    regex: /process\.env\.\w+.*\bconsole\.(log|info|debug)/,
+    severity: 'medium',
+    description: 'Environment variable logged to console',
+  },
+  {
+    regex: /catch\s*\([^)]*\)\s*\{[^}]*res\.(json|send)\([^)]*err/,
+    severity: 'medium',
+    description: 'Error details exposed in response',
+  },
+  {
+    regex: /Access-Control-Allow-Origin.*\*/,
+    severity: 'medium',
+    description: 'Overly permissive CORS (allows all origins)',
+  },
+  {
+    regex: /new\s+URL\s*\(\s*(?:req|input|params|query)/,
+    severity: 'medium',
+    description: 'URL constructed from user input (SSRF risk)',
+  },
+  {
+    regex: /JSON\.parse\s*\(\s*(?:req|input|body|params)/,
+    severity: 'low',
+    description: 'JSON.parse on user input without try/catch',
+  },
+  {
+    regex: /prototype\s*:/,
+    severity: 'high',
+    description: 'Prototype key in object literal (prototype pollution risk)',
+  },
+];
+
+/** Default severity weights. Configurable via security.severity_weights */
+const DEFAULT_SEVERITY_WEIGHTS: Record<string, number> = {
+  critical: 25,
+  high: 15,
+  medium: 8,
+  low: 3,
+};
+
+/**
+ * Get severity weights from config or defaults.
+ */
+function getSeverityWeights(): Record<string, number> {
+  const configWeights = getConfig().security?.severity_weights;
+  if (!configWeights) return DEFAULT_SEVERITY_WEIGHTS;
+  return enforceSeverityFloors(configWeights, DEFAULT_SEVERITY_WEIGHTS);
+}
+
+/**
+ * Score security risk for a file.
+ * Returns 0 (safe) to 100 (critical risk).
+ */
+export function scoreFileSecurity(filePath: string, projectRoot: string): {
+  riskScore: number;
+  findings: SecurityFinding[];
+} {
+  let absPath: string;
+  try {
+    absPath = ensureWithinRoot(filePath, projectRoot);
+  } catch {
+    return {
+      riskScore: 100,
+      findings: [{
+        pattern: 'path_traversal',
+        severity: 'critical',
+        line: 0,
+        description: `Path traversal blocked: "${filePath}" resolves outside project root`,
+      }],
+    };
+  }
+  if (!existsSync(absPath)) {
+    return { riskScore: 0, findings: [] };
+  }
+
+  let source: string;
+  try {
+    source = readFileSync(absPath, 'utf-8');
+  } catch {
+    return { riskScore: 0, findings: [] };
+  }
+
+  const findings: SecurityFinding[] = [];
+  const lines = source.split('\n');
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    for (const pattern of DEFAULT_SECURITY_PATTERNS) {
+      if (pattern.fileFilter && !pattern.fileFilter.test(filePath)) continue;
+      if (pattern.regex.test(line)) {
+        findings.push({
+          pattern: pattern.regex.source.slice(0, 50),
+          severity: pattern.severity,
+          line: i + 1,
+          description: pattern.description,
+        });
+      }
+    }
+  }
+
+  // Calculate risk score
+  const severityWeights = getSeverityWeights();
+  let riskScore = 0;
+
+  for (const finding of findings) {
+    riskScore += severityWeights[finding.severity] ?? 0;
+  }
+
+  return {
+    riskScore: Math.min(100, riskScore),
+    findings,
+  };
+}
+
+/**
+ * Store security score for a file.
+ */
+export function storeSecurityScore(
+  db: Database.Database,
+  sessionId: string,
+  filePath: string,
+  riskScore: number,
+  findings: SecurityFinding[]
+): void {
+  db.prepare(`
+    INSERT INTO security_scores
+    (session_id, file_path, risk_score, findings)
+    VALUES (?, ?, ?, ?)
+  `).run(sessionId, filePath, riskScore, JSON.stringify(findings));
+}
+
+// ============================================================
+// MCP Tool Definitions & Handlers
+// ============================================================
+
+export function getSecurityToolDefinitions(): ToolDefinition[] {
+  return [
+    {
+      name: p('security_score'),
+      description: 'Security risk score for a file. Detects SQL injection, XSS, hardcoded secrets, auth gaps, and more.',
+      inputSchema: {
+        type: 'object',
+        properties: {
+          file_path: { type: 'string', description: 'File path relative to project root' },
+          session_id: { type: 'string', description: 'Get scores for an entire session' },
+        },
+        required: [],
+      },
+    },
+    {
+      name: p('security_heatmap'),
+      description: 'Security risk heat map. Files ranked by risk score with summary findings.',
+      inputSchema: {
+        type: 'object',
+        properties: {
+          threshold: { type: 'number', description: 'Show files above this risk score (default: 30)' },
+        },
+        required: [],
+      },
+    },
+    {
+      name: p('security_trend'),
+      description: 'Security posture over time. Average risk scores and most improved/degraded areas.',
+      inputSchema: {
+        type: 'object',
+        properties: {
+          days: { type: 'number', description: 'Days to look back (default: 30)' },
+        },
+        required: [],
+      },
+    },
+  ];
+}
+
+const SECURITY_BASE_NAMES = new Set(['security_score', 'security_heatmap', 'security_trend']);
+
+export function isSecurityTool(name: string): boolean {
+  const pfx = getConfig().toolPrefix + '_';
+  const baseName = name.startsWith(pfx) ? name.slice(pfx.length) : name;
+  return SECURITY_BASE_NAMES.has(baseName);
+}
+
+export function handleSecurityToolCall(
+  name: string,
+  args: Record<string, unknown>,
+  memoryDb: Database.Database
+): ToolResult {
+  try {
+    const pfx = getConfig().toolPrefix + '_';
+    const baseName = name.startsWith(pfx) ? name.slice(pfx.length) : name;
+
+    switch (baseName) {
+      case 'security_score':
+        return handleSecurityScore(args, memoryDb);
+      case 'security_heatmap':
+        return handleSecurityHeatmap(args, memoryDb);
+      case 'security_trend':
+        return handleSecurityTrend(args, memoryDb);
+      default:
+        return text(`Unknown security tool: ${name}`);
+    }
+  } catch (error) {
+    return text(`Error in ${name}: ${error instanceof Error ? error.message : String(error)}\n\nUsage: ${p('security_score')} { file_path: "src/..." }, ${p('security_heatmap')} { threshold: 30 }`);
+  }
+}
+
+function handleSecurityScore(args: Record<string, unknown>, db: Database.Database): ToolResult {
+  const filePath = args.file_path as string | undefined;
+  const sessionId = args.session_id as string | undefined;
+
+  if (filePath) {
+    const config = getConfig();
+    const { riskScore, findings } = scoreFileSecurity(filePath, config.project.root);
+
+    // Store the result
+    const session = db.prepare(
+      "SELECT session_id FROM sessions WHERE status = 'active' ORDER BY started_at_epoch DESC LIMIT 1"
+    ).get() as { session_id: string } | undefined;
+    if (session) {
+      storeSecurityScore(db, session.session_id, filePath, riskScore, findings);
+    }
+
+    const lines = [
+      `## Security Score: ${filePath}`,
+      `Risk: **${riskScore}/100** ${riskScore === 0 ? '(clean)' : riskScore < 30 ? '(low risk)' : riskScore < 60 ? '(medium risk)' : '(HIGH RISK)'}`,
+      '',
+    ];
+
+    if (findings.length > 0) {
+      lines.push('### Findings');
+      for (const f of findings) {
+        lines.push(`- **[${f.severity.toUpperCase()}]** L${f.line}: ${f.description}`);
+      }
+    } else {
+      lines.push(`No security findings detected (checked ${DEFAULT_SECURITY_PATTERNS.length} patterns including command injection, XSS, hardcoded secrets, and auth gaps).`);
+    }
+
+    return text(lines.join('\n'));
+  }
+
+  if (sessionId) {
+    const scores = db.prepare(`
+      SELECT file_path, risk_score, findings FROM security_scores
+      WHERE session_id = ?
+      ORDER BY risk_score DESC
+    `).all(sessionId) as Array<Record<string, unknown>>;
+
+    if (scores.length === 0) {
+      return text(`No security scores for session ${sessionId.slice(0, 8)}... Security scores are generated when files are scanned. Try: ${p('security_score')} { file_path: "src/server/api/routers/example.ts" } to scan a file, or ${p('security_heatmap')} {} to see all scanned files.`);
+    }
+
+    const lines = [
+      `## Security Scores for Session ${sessionId.slice(0, 12)}...`,
+      '',
+      '| File | Risk Score | Findings |',
+      '|------|-----------|----------|',
+    ];
+
+    for (const s of scores) {
+      const findingCount = JSON.parse(s.findings as string).length;
+      lines.push(`| ${s.file_path} | ${s.risk_score} | ${findingCount} |`);
+    }
+
+    return text(lines.join('\n'));
+  }
+
+  return text(`Usage: ${p('security_score')} { file_path: "src/server/api/routers/example.ts" } to scan a file, or ${p('security_score')} { session_id: "..." } to see all scores for a session.`);
+}
+
+function handleSecurityHeatmap(args: Record<string, unknown>, db: Database.Database): ToolResult {
+  const threshold = (args.threshold as number) ?? 30;
+
+  const files = db.prepare(`
+    SELECT file_path, MAX(risk_score) as max_risk, COUNT(*) as scan_count
+    FROM security_scores
+    GROUP BY file_path
+    HAVING max_risk >= ?
+    ORDER BY max_risk DESC
+    LIMIT 50
+  `).all(threshold) as Array<Record<string, unknown>>;
+
+  if (files.length === 0) {
+    return text(`No files with risk score >= ${threshold}. ${threshold > 0 ? `Try lowering the threshold or scan files with ${p('security_score')} { file_path: "..." }.` : 'No security scans recorded yet. Scan files to build the heat map.'}`);
+  }
+
+  const lines = [
+    `## Security Heat Map (threshold: ${threshold})`,
+    `Files at risk: ${files.length}`,
+    '',
+    '| Risk | File | Scans |',
+    '|------|------|-------|',
+  ];
+
+  for (const f of files) {
+    const risk = f.max_risk as number;
+    const indicator = risk >= 60 ? 'HIGH' : risk >= 30 ? 'MEDIUM' : 'LOW';
+    lines.push(`| ${risk} [${indicator}] | ${f.file_path} | ${f.scan_count} |`);
+  }
+
+  return text(lines.join('\n'));
+}
+
+function handleSecurityTrend(args: Record<string, unknown>, db: Database.Database): ToolResult {
+  const days = (args.days as number) ?? 30;
+
+  const rows = db.prepare(`
+    SELECT date(created_at) as day,
+           AVG(risk_score) as avg_risk,
+           MAX(risk_score) as max_risk,
+           COUNT(*) as files_scanned
+    FROM security_scores
+    WHERE created_at >= datetime('now', ?)
+    GROUP BY date(created_at)
+    ORDER BY day ASC
+  `).all(`-${days} days`) as Array<Record<string, unknown>>;
+
+  if (rows.length === 0) {
+    return text(`No security scan data in the last ${days} days. Security trends build as files are scanned across sessions. Try: ${p('security_score')} { file_path: "src/server/api/routers/example.ts" } to scan a file, or try a longer time range with { days: 90 }.`);
+  }
+
+  const lines = [
+    `## Security Trend (${days} days)`,
+    '',
+    '| Date | Avg Risk | Max Risk | Files Scanned |',
+    '|------|----------|----------|---------------|',
+  ];
+
+  for (const row of rows) {
+    lines.push(
+      `| ${row.day} | ${(row.avg_risk as number).toFixed(1)} | ${row.max_risk} | ${row.files_scanned} |`
+    );
+  }
+
+  return text(lines.join('\n'));
+}
+
+function text(content: string): ToolResult {
+  return { content: [{ type: 'text', text: content }] };
+}