@massu/core 0.1.1 → 0.4.0

package/src/__tests__/schema-mapper.test.ts

@@ -1,29 +0,0 @@
-// Copyright (c) 2026 Massu. All rights reserved.
-// Licensed under BSL 1.1 - see LICENSE file for details.
-
-import { describe, it, expect } from 'vitest';
-import { existsSync } from 'fs';
-import { parsePrismaSchema } from '../schema-mapper.ts';
-import { getResolvedPaths } from '../config.ts';
-
-const schemaExists = existsSync(getResolvedPaths().prismaSchemaPath);
-
-describe('parsePrismaSchema', () => {
-  it('parses the Prisma schema file', () => {
-    if (!schemaExists) {
-      // No schema in this project - verify it throws gracefully
-      expect(() => parsePrismaSchema()).toThrow('Prisma schema not found');
-      return;
-    }
-    const models = parsePrismaSchema();
-    expect(models.length).toBeGreaterThan(0);
-  });
-
-  it('finds models with fields', () => {
-    if (!schemaExists) return;
-    const models = parsePrismaSchema();
-    for (const model of models) {
-      expect(model.fields.length).toBeGreaterThan(0);
-    }
-  });
-});

package/src/__tests__/security-scorer.test.ts

@@ -1,238 +0,0 @@
-// Copyright (c) 2026 Massu. All rights reserved.
-// Licensed under BSL 1.1 - see LICENSE file for details.
-
-import { describe, it, expect, beforeEach, afterEach } from 'vitest';
-import Database from 'better-sqlite3';
-import { writeFileSync, mkdirSync, rmSync } from 'fs';
-import { join } from 'path';
-import {
-  getSecurityToolDefinitions,
-  isSecurityTool,
-  scoreFileSecurity,
-  storeSecurityScore,
-  handleSecurityToolCall,
-} from '../security-scorer.ts';
-
-function createTestDb(): Database.Database {
-  const db = new Database(':memory:');
-  db.exec(`
-    CREATE TABLE security_scores (
-      id INTEGER PRIMARY KEY AUTOINCREMENT,
-      session_id TEXT NOT NULL,
-      file_path TEXT NOT NULL,
-      risk_score INTEGER NOT NULL DEFAULT 0,
-      findings TEXT,
-      created_at TEXT DEFAULT (datetime('now'))
-    );
-
-    CREATE TABLE sessions (
-      session_id TEXT PRIMARY KEY,
-      status TEXT,
-      started_at_epoch INTEGER
-    );
-  `);
-  return db;
-}
-
-describe('security-scorer', () => {
-  let db: Database.Database;
-  const testDir = '/tmp/security-scorer-test';
-
-  beforeEach(() => {
-    db = createTestDb();
-    try {
-      rmSync(testDir, { recursive: true, force: true });
-    } catch { /* ignore */ }
-    mkdirSync(testDir, { recursive: true });
-  });
-
-  afterEach(() => {
-    db.close();
-    try {
-      rmSync(testDir, { recursive: true, force: true });
-    } catch { /* ignore */ }
-  });
-
-  describe('getSecurityToolDefinitions', () => {
-    it('returns 3 tool definitions', () => {
-      const tools = getSecurityToolDefinitions();
-      expect(tools).toHaveLength(3);
-      expect(tools.map(t => t.name.split('_').slice(-2).join('_'))).toEqual([
-        'security_score',
-        'security_heatmap',
-        'security_trend',
-      ]);
-    });
-
-    it('has required fields in tool definitions', () => {
-      const tools = getSecurityToolDefinitions();
-      tools.forEach(tool => {
-        expect(tool.name).toBeTruthy();
-        expect(tool.description).toBeTruthy();
-        expect(tool.inputSchema).toBeDefined();
-      });
-    });
-  });
-
-  describe('isSecurityTool', () => {
-    it('returns true for security tool names', () => {
-      expect(isSecurityTool('massu_security_score')).toBe(true);
-      expect(isSecurityTool('massu_security_heatmap')).toBe(true);
-      expect(isSecurityTool('massu_security_trend')).toBe(true);
-    });
-
-    it('returns false for non-security tool names', () => {
-      expect(isSecurityTool('massu_adr_list')).toBe(false);
-      expect(isSecurityTool('massu_unknown')).toBe(false);
-    });
-  });
-
-  describe('scoreFileSecurity', () => {
-    it('returns 0 for non-existent file', () => {
-      const result = scoreFileSecurity('nonexistent.ts', testDir);
-      expect(result.riskScore).toBe(0);
-      expect(result.findings).toEqual([]);
-    });
-
-    it('detects hardcoded credentials', () => {
-      const filePath = join(testDir, 'test.ts');
-      writeFileSync(filePath, `const api_key = "sk-1234567890abcdef";\n`);
-
-      const result = scoreFileSecurity(filePath, testDir);
-      expect(result.riskScore).toBeGreaterThan(0);
-      expect(result.findings.length).toBeGreaterThan(0);
-      expect(result.findings[0].severity).toBe('critical');
-      expect(result.findings[0].description).toContain('credential');
-    });
-
-    it('detects publicProcedure.mutation vulnerability', () => {
-      const filePath = join(testDir, 'router.ts');
-      writeFileSync(filePath, `export const router = publicProcedure.mutation(async () => {});\n`);
-
-      const result = scoreFileSecurity(filePath, testDir);
-      expect(result.riskScore).toBeGreaterThan(0);
-      const mutation = result.findings.find(f => f.description.includes('Mutation without authentication'));
-      expect(mutation).toBeDefined();
-      expect(mutation?.severity).toBe('critical');
-    });
-
-    it('detects eval usage', () => {
-      const filePath = join(testDir, 'dangerous.ts');
-      writeFileSync(filePath, `const result = eval(userInput);\n`);
-
-      const result = scoreFileSecurity(filePath, testDir);
-      expect(result.riskScore).toBeGreaterThan(0);
-      const evalFinding = result.findings.find(f => f.description.includes('eval()'));
-      expect(evalFinding).toBeDefined();
-      expect(evalFinding?.severity).toBe('high');
-    });
-
-    it('detects dangerouslySetInnerHTML in tsx files', () => {
-      const filePath = join(testDir, 'component.tsx');
-      writeFileSync(filePath, `<div dangerouslySetInnerHTML={{ __html: html }} />\n`);
-
-      const result = scoreFileSecurity(filePath, testDir);
-      expect(result.riskScore).toBeGreaterThan(0);
-      const xss = result.findings.find(f => f.description.includes('XSS risk'));
-      expect(xss).toBeDefined();
-      expect(xss?.severity).toBe('high');
-    });
-
-    it('returns 0 for clean file', () => {
-      const filePath = join(testDir, 'clean.ts');
-      writeFileSync(filePath, `export function add(a: number, b: number) { return a + b; }\n`);
-
-      const result = scoreFileSecurity(filePath, testDir);
-      expect(result.riskScore).toBe(0);
-      expect(result.findings).toEqual([]);
-    });
-
-    it('caps risk score at 100', () => {
-      const filePath = join(testDir, 'critical.ts');
-      writeFileSync(filePath, `
-        const password = "hardcoded-secret-12345";
-        const token = "sk-1234567890abcdef";
-        const apiKey = "another-secret-key-abc";
-        publicProcedure.mutation(async () => {});
-        eval(userInput);
-        exec(\`rm -rf \${dir}\`);
-      `);
-
-      const result = scoreFileSecurity(filePath, testDir);
-      expect(result.riskScore).toBeLessThanOrEqual(100);
-    });
-
-    it('blocks path traversal attacks', () => {
-      const result = scoreFileSecurity('../../../etc/passwd', testDir);
-      expect(result.riskScore).toBe(100);
-      expect(result.findings[0].severity).toBe('critical');
-      expect(result.findings[0].description).toContain('Path traversal blocked');
-    });
-  });
-
-  describe('storeSecurityScore', () => {
-    it('stores security score in database', () => {
-      storeSecurityScore(db, 'session-123', 'src/test.ts', 42, [
-        { pattern: 'test', severity: 'high', line: 10, description: 'Test finding' },
-      ]);
-
-      const row = db.prepare('SELECT * FROM security_scores WHERE session_id = ?').get('session-123') as Record<string, unknown>;
-      expect(row.file_path).toBe('src/test.ts');
-      expect(row.risk_score).toBe(42);
-
-      const findings = JSON.parse(row.findings as string) as Array<Record<string, unknown>>;
-      expect(findings).toHaveLength(1);
-      expect(findings[0].description).toBe('Test finding');
-    });
-  });
-
-  describe('handleSecurityToolCall', () => {
-    it('handles security_score for file', () => {
-      const filePath = join(testDir, 'test.ts');
-      writeFileSync(filePath, `export const x = 1;\n`);
-
-      // Create active session
-      db.prepare(`INSERT INTO sessions (session_id, status, started_at_epoch) VALUES (?, ?, ?)`).run(
-        'test-session',
-        'active',
-        Math.floor(Date.now() / 1000)
-      );
-
-      const result = handleSecurityToolCall('massu_security_score', { file_path: filePath }, db);
-      const text = result.content[0].text;
-      expect(text).toContain('Security Score');
-      expect(text).toContain(filePath);
-    });
-
-    it('handles security_heatmap with no data', () => {
-      const result = handleSecurityToolCall('massu_security_heatmap', {}, db);
-      const text = result.content[0].text;
-      expect(text).toContain('No files with risk score');
-    });
-
-    it('handles security_heatmap with threshold', () => {
-      storeSecurityScore(db, 'session-1', 'file1.ts', 50, []);
-      storeSecurityScore(db, 'session-1', 'file2.ts', 80, []);
-      storeSecurityScore(db, 'session-1', 'file3.ts', 20, []);
-
-      const result = handleSecurityToolCall('massu_security_heatmap', { threshold: 30 }, db);
-      const text = result.content[0].text;
-      expect(text).toContain('Security Heat Map');
-      expect(text).toContain('file1.ts');
-      expect(text).toContain('file2.ts');
-      expect(text).not.toContain('file3.ts');
-    });
-
-    it('handles security_trend with no data', () => {
-      const result = handleSecurityToolCall('massu_security_trend', {}, db);
-      const text = result.content[0].text;
-      expect(text).toContain('No security scan data');
-    });
-
-    it('handles unknown tool name', () => {
-      const result = handleSecurityToolCall('massu_security_unknown', {}, db);
-      const text = result.content[0].text;
-      expect(text).toContain('Unknown security tool');
-    });
-  });
-});

package/src/__tests__/security-utils.test.ts

@@ -1,175 +0,0 @@
-// Copyright (c) 2026 Massu. All rights reserved.
-// Licensed under BSL 1.1 - see LICENSE file for details.
-
-import { describe, it, expect } from 'vitest';
-import {
-  ensureWithinRoot,
-  escapeRegex,
-  safeRegex,
-  globToSafeRegex,
-  redactSensitiveContent,
-  enforceSeverityFloors,
-  MINIMUM_SEVERITY_WEIGHTS,
-} from '../security-utils.ts';
-
-describe('ensureWithinRoot', () => {
-  const root = '/projects/my-app';
-
-  it('allows paths within root', () => {
-    expect(ensureWithinRoot('src/index.ts', root)).toBe('/projects/my-app/src/index.ts');
-  });
-
-  it('allows nested paths', () => {
-    expect(ensureWithinRoot('src/lib/utils/helpers.ts', root)).toBe('/projects/my-app/src/lib/utils/helpers.ts');
-  });
-
-  it('blocks path traversal with ../', () => {
-    expect(() => ensureWithinRoot('../../etc/passwd', root)).toThrow('Path traversal blocked');
-  });
-
-  it('blocks path traversal with encoded sequences', () => {
-    expect(() => ensureWithinRoot('../../../etc/shadow', root)).toThrow('Path traversal blocked');
-  });
-
-  it('normalizes paths with ./ segments', () => {
-    expect(ensureWithinRoot('./src/../src/index.ts', root)).toBe('/projects/my-app/src/index.ts');
-  });
-
-  it('blocks traversal that resolves outside after normalization', () => {
-    expect(() => ensureWithinRoot('src/../../../../etc/passwd', root)).toThrow('Path traversal blocked');
-  });
-});
-
-describe('escapeRegex', () => {
-  it('escapes special regex characters', () => {
-    expect(escapeRegex('hello.world')).toBe('hello\\.world');
-    expect(escapeRegex('a+b*c')).toBe('a\\+b\\*c');
-    expect(escapeRegex('foo(bar)')).toBe('foo\\(bar\\)');
-  });
-
-  it('leaves normal strings unchanged', () => {
-    expect(escapeRegex('hello world')).toBe('hello world');
-  });
-
-  it('escapes all PCRE special chars', () => {
-    const special = '.*+?^${}()|[]\\';
-    const escaped = escapeRegex(special);
-    // Every char should be escaped
-    expect(escaped).toBe('\\.\\*\\+\\?\\^\\$\\{\\}\\(\\)\\|\\[\\]\\\\');
-  });
-});
-
-describe('safeRegex', () => {
-  it('compiles simple patterns', () => {
-    const re = safeRegex('hello|world');
-    expect(re).toBeInstanceOf(RegExp);
-    expect(re!.test('hello')).toBe(true);
-  });
-
-  it('rejects nested quantifiers (ReDoS)', () => {
-    expect(safeRegex('(a+)+')).toBeNull();
-    expect(safeRegex('(a*)*')).toBeNull();
-    expect(safeRegex('(a+){2,}')).toBeNull();
-  });
-
-  it('rejects excessively long patterns', () => {
-    expect(safeRegex('a'.repeat(501))).toBeNull();
-  });
-
-  it('rejects invalid regex syntax', () => {
-    expect(safeRegex('(?P<invalid')).toBeNull();
-  });
-
-  it('accepts reasonable patterns', () => {
-    expect(safeRegex('\\bctx\\.prisma\\b')).toBeInstanceOf(RegExp);
-    expect(safeRegex('import.*from')).toBeInstanceOf(RegExp);
-  });
-
-  it('supports flags', () => {
-    const re = safeRegex('hello', 'i');
-    expect(re!.test('HELLO')).toBe(true);
-  });
-});
-
-describe('globToSafeRegex', () => {
-  it('converts simple glob with single star', () => {
-    const re = globToSafeRegex('src/**/*.ts');
-    expect(re.test('src/lib/utils.ts')).toBe(true);
-    expect(re.test('src/deep/nested/file.ts')).toBe(true);
-  });
-
-  it('does not match across path separators with single star', () => {
-    const re = globToSafeRegex('src/*.ts');
-    expect(re.test('src/index.ts')).toBe(true);
-    expect(re.test('src/lib/index.ts')).toBe(false);
-  });
-
-  it('escapes special regex chars in the glob', () => {
-    const re = globToSafeRegex('src/components/(portal)/*.tsx');
-    expect(re.test('src/components/(portal)/page.tsx')).toBe(true);
-  });
-});
-
-describe('redactSensitiveContent', () => {
-  it('redacts API keys', () => {
-    expect(redactSensitiveContent('key: sk-abc123def456ghij')).toContain('[REDACTED_KEY]');
-    expect(redactSensitiveContent('token: ghp_1234567890abcdef')).toContain('[REDACTED_KEY]');
-  });
-
-  it('redacts email addresses', () => {
-    expect(redactSensitiveContent('contact user@example.com')).toContain('[REDACTED_EMAIL]');
-  });
-
-  it('redacts Bearer tokens', () => {
-    expect(redactSensitiveContent('Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.payload.sig'))
-      .toContain('[REDACTED_TOKEN]');
-  });
-
-  it('redacts absolute file paths', () => {
-    expect(redactSensitiveContent('file at /Users/john/secrets/key.pem')).toContain('[REDACTED_PATH]');
-  });
-
-  it('redacts connection strings', () => {
-    expect(redactSensitiveContent('postgres://admin:s3cret@db.host.com/mydb'))
-      .toContain('[REDACTED_CREDENTIALS]');
-  });
-
-  it('preserves non-sensitive content', () => {
-    const safe = 'This is a normal prompt about implementing a feature';
-    expect(redactSensitiveContent(safe)).toBe(safe);
-  });
-});
-
-describe('enforceSeverityFloors', () => {
-  const defaults = { critical: 25, high: 15, medium: 8, low: 3 };
-
-  it('uses config values when above floor', () => {
-    const result = enforceSeverityFloors({ critical: 30, high: 20 }, defaults);
-    expect(result.critical).toBe(30);
-    expect(result.high).toBe(20);
-  });
-
-  it('enforces minimum floors', () => {
-    const result = enforceSeverityFloors({ critical: 0, high: 0, medium: 0, low: 0 }, defaults);
-    expect(result.critical).toBe(MINIMUM_SEVERITY_WEIGHTS.critical);
-    expect(result.high).toBe(MINIMUM_SEVERITY_WEIGHTS.high);
-    expect(result.medium).toBe(MINIMUM_SEVERITY_WEIGHTS.medium);
-    expect(result.low).toBe(MINIMUM_SEVERITY_WEIGHTS.low);
-  });
-
-  it('preserves defaults for missing config keys', () => {
-    const result = enforceSeverityFloors({ critical: 50 }, defaults);
-    expect(result.critical).toBe(50);
-    expect(result.high).toBe(15); // default preserved
-    expect(result.medium).toBe(8); // default preserved
-  });
-
-  it('prevents complete disabling of security scoring', () => {
-    const result = enforceSeverityFloors(
-      { critical: 0, high: 0, medium: 0, low: 0 },
-      defaults
-    );
-    const totalWeight = Object.values(result).reduce((sum, v) => sum + v, 0);
-    expect(totalWeight).toBeGreaterThan(0);
-  });
-});