@paths.design/caws-cli 4.0.0 → 4.1.0

package/templates/apps/tools/caws/prompt-lint.js.backup

@@ -0,0 +1,274 @@
+#!/usr/bin/env node
+
+/**
+ * @fileoverview CAWS Prompt Linter
+ * Validates prompts for secrets and ensures tool allowlist compliance
+ * @author @darianrosebrook
+ */
+
+const fs = require("fs");
+
+/**
+ * Common secret patterns to detect
+ */
+const SECRET_PATTERNS = [
+  // API Keys
+  /api[_-]?key[_-]?token\s*[=:]\s*['"]?([a-zA-Z0-9_-]{20,})['"]?/gi,
+  /x-api-key\s*[=:]\s*['"]?([a-zA-Z0-9_-]{20,})['"]?/gi,
+  /authorization\s*[=:]\s*['"]?(Bearer\s+)?([a-zA-Z0-9_-]{20,})['"]?/gi,
+
+  // Tokens
+  /token\s*[=:]\s*['"]?([a-zA-Z0-9_-]{20,})['"]?/gi,
+  /access[_-]?token\s*[=:]\s*['"]?([a-zA-Z0-9_-]{20,})['"]?/gi,
+  /refresh[_-]?token\s*[=:]\s*['"]?([a-zA-Z0-9_-]{20,})['"]?/gi,
+  /auth[_-]?token\s*[=:]\s*['"]?([a-zA-Z0-9_-]{20,})['"]?/gi,
+
+  // Passwords
+  /password\s*[=:]\s*['"]?([a-zA-Z0-9_-]{8,})['"]?/gi,
+  /passwd\s*[=:]\s*['"]?([a-zA-Z0-9_-]{8,})['"]?/gi,
+  /pwd\s*[=:]\s*['"]?([a-zA-Z0-9_-]{8,})['"]?/gi,
+
+  // Secrets
+  /secret\s*[=:]\s*['"]?([a-zA-Z0-9_-]{16,})['"]?/gi,
+  /private[_-]?key\s*[=:]\s*['"]?([a-zA-Z0-9_-]{20,})['"]?/gi,
+
+  // Environment variables that might contain secrets
+  /process\.env\.[A-Z_]+_KEY/gi,
+  /process\.env\.[A-Z_]+_TOKEN/gi,
+  /process\.env\.[A-Z_]+_SECRET/gi,
+  /process\.env\.[A-Z_]+_PASSWORD/gi,
+
+  // URLs with potential secrets
+  /https?:\/\/[^/]*@[^/]+/gi,
+
+  // Base64 encoded strings that might be secrets
+  /[A-Za-z0-9+/=]{40,}/g,
+
+  // AWS keys
+  /AKIA[A-Z0-9]{16}/gi,
+
+  // GitHub tokens
+  /ghp_[A-Za-z0-9]{36}/gi,
+  /github_pat_[A-Za-z0-9]{22}/gi,
+
+  // Slack tokens
+  /xoxb-[0-9]+-[0-9]+-[0-9]+-[a-zA-Z0-9]+/gi,
+
+  // Database connection strings
+  /mongodb(\+srv)?:\/\/[^:]+:[^@]+@[^/]+/gi,
+  /postgres:\/\/[^:]+:[^@]+@[^/]+/gi,
+  /mysql:\/\/[^:]+:[^@]+@[^/]+/gi,
+];
+
+/**
+ * Scan file for potential secrets
+ * @param {string} filePath - Path to file to scan
+ * @returns {Array} Array of potential secret matches
+ */
+function scanForSecrets(filePath) {
+  try {
+    const content = fs.readFileSync(filePath, "utf8");
+    const matches = [];
+
+    for (const pattern of SECRET_PATTERNS) {
+      const patternMatches = [...content.matchAll(pattern)];
+      for (const match of patternMatches) {
+        matches.push({
+          file: filePath,
+          line: content.substring(0, match.index).split("\n").length,
+          pattern: pattern.toString(),
+          match: match[0],
+          severity: "high",
+        });
+      }
+    }
+
+    return matches;
+  } catch (error) {
+    console.error(`❌ Error scanning ${filePath}:`, error.message);
+    return [];
+  }
+}
+
+/**
+ * Validate tools against allowlist
+ * @param {Array} tools - Tools used in prompts
+ * @param {Array} allowlist - Allowed tools
+ * @returns {Array} Array of violations
+ */
+function validateToolAllowlist(tools, allowlist) {
+  const violations = [];
+
+  for (const tool of tools) {
+    if (!allowlist.includes(tool)) {
+      violations.push({
+        tool,
+        severity: "high",
+        message: `Tool "${tool}" not in allowlist`,
+      });
+    }
+  }
+
+  return violations;
+}
+
+/**
+ * Extract tools from prompt content
+ * @param {string} content - Prompt content
+ * @returns {Array} Array of tools mentioned
+ */
+function extractTools(content) {
+  const tools = [];
+
+  // Common tool patterns
+  const toolPatterns = [
+    /using\s+(node|npm|yarn|pnpm|git|docker|kubectl|aws|azure|gcloud)/gi,
+    /(node|npm|yarn|pnpm|git|docker|kubectl|aws|azure|gcloud)\s+command/gi,
+    /execute\s+(node|npm|yarn|pnpm|git|docker|kubectl|aws|azure|gcloud)/gi,
+    /run\s+(node|npm|yarn|pnpm|git|docker|kubectl|aws|azure|gcloud)/gi,
+  ];
+
+  for (const pattern of toolPatterns) {
+    const matches = [...content.matchAll(pattern)];
+    for (const match of matches) {
+      const tool = match[1] || match[0];
+      if (!tools.includes(tool)) {
+        tools.push(tool);
+      }
+    }
+  }
+
+  return tools;
+}
+
+/**
+ * Lint prompts for security and compliance
+ * @param {Array} promptFiles - Array of prompt file paths
+ * @param {Array} allowlist - Allowed tools
+ * @returns {Object} Lint results
+ */
+function lintPrompts(promptFiles, allowlist) {
+  const results = {
+    secrets: [],
+    violations: [],
+    cleanFiles: 0,
+    totalFiles: promptFiles.length,
+  };
+
+  for (const file of promptFiles) {
+    if (!fs.existsSync(file)) {
+      console.warn(`⚠️  Prompt file not found: ${file}`);
+      continue;
+    }
+
+    // Scan for secrets
+    const secretMatches = scanForSecrets(file);
+    results.secrets.push(...secretMatches);
+
+    // Extract and validate tools
+    const content = fs.readFileSync(file, "utf8");
+    const tools = extractTools(content);
+    const toolViolations = validateToolAllowlist(tools, allowlist);
+    results.violations.push(...toolViolations.map((v) => ({ ...v, file })));
+
+    // Check if file is clean
+    if (secretMatches.length === 0 && toolViolations.length === 0) {
+      results.cleanFiles++;
+    }
+  }
+
+  return results;
+}
+
+/**
+ * Load tool allowlist from file
+ * @param {string} allowlistPath - Path to allowlist file
+ * @returns {Array} Array of allowed tools
+ */
+function loadAllowlist(allowlistPath) {
+  try {
+    if (!fs.existsSync(allowlistPath)) {
+      console.warn(`⚠️  Allowlist file not found: ${allowlistPath}`);
+      return [];
+    }
+
+    const content = fs.readFileSync(allowlistPath, "utf8");
+    return JSON.parse(content);
+  } catch (error) {
+    console.error(`❌ Error loading allowlist:`, error.message);
+    return [];
+  }
+}
+
+// CLI interface
+if (require.main === module) {
+  const promptFiles = process.argv.slice(2);
+  const allowlistArg = process.argv
+    .find((arg) => arg.startsWith("--allowlist="))
+    ?.split("=")[1];
+  const allowlistPath = allowlistArg || ".agent/tools-allow.json";
+
+  if (promptFiles.length === 0) {
+    console.log("CAWS Prompt Linter");
+    console.log(
+      "Usage: node prompt-lint.js <prompt-file1> [prompt-file2] ... [options]"
+    );
+    console.log("Options:");
+    console.log(
+      "  --allowlist=<path>  Path to tools allowlist file (default: .agent/tools-allow.json)"
+    );
+    process.exit(1);
+  }
+
+  // Load allowlist
+  const allowlist = loadAllowlist(allowlistPath);
+
+  console.log("🔍 Linting prompts for security and compliance...");
+  console.log(`📁 Allowlist loaded: ${allowlist.length} tools`);
+  console.log(`📄 Scanning ${promptFiles.length} files...`);
+
+  // Lint prompts
+  const results = lintPrompts(promptFiles, allowlist);
+
+  // Report results
+  if (results.secrets.length > 0) {
+    console.log("\n🚨 POTENTIAL SECRETS DETECTED:");
+    results.secrets.forEach((secret, index) => {
+      console.log(
+        `  ${index + 1}. ${secret.file}:${
+          secret.line
+        } - ${secret.match.substring(0, 50)}...`
+      );
+    });
+  }
+
+  if (results.violations.length > 0) {
+    console.log("\n⚠️  TOOL VIOLATIONS:");
+    results.violations.forEach((violation, index) => {
+      console.log(`  ${index + 1}. ${violation.file} - ${violation.message}`);
+    });
+  }
+
+  console.log("\n📊 SUMMARY:");
+  console.log(`   - Files scanned: ${results.totalFiles}`);
+  console.log(`   - Clean files: ${results.cleanFiles}`);
+  console.log(`   - Secrets found: ${results.secrets.length}`);
+  console.log(`   - Violations: ${results.violations.length}`);
+
+  // Exit with error if issues found
+  if (results.secrets.length > 0 || results.violations.length > 0) {
+    console.log("\n❌ Linting failed - security issues detected");
+    process.exit(1);
+  }
+
+  console.log("✅ All prompts passed security checks");
+  process.exit(0);
+}
+
+module.exports = {
+  scanForSecrets,
+  validateToolAllowlist,
+  extractTools,
+  lintPrompts,
+  loadAllowlist,
+};

package/templates/apps/tools/caws/provenance.js.backup

@@ -0,0 +1,73 @@
+#!/usr/bin/env node
+
+/**
+ * @fileoverview CAWS Provenance Tracker - Real Implementation
+ * @author @darianrosebrook
+ */
+
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+const { execSync } = require('child_process');
+
+/**
+ * Generate comprehensive provenance data for CAWS operations
+ * @param {Object} options - Configuration options
+ * @returns {Object} Complete provenance record
+ */
+function generateProvenance(options = {}) {
+  const projectRoot = options.projectRoot || process.cwd();
+
+  return {
+    // Agent and model information
+    agent: options.agent || 'caws-cli',
+    model: options.model || 'cli-interactive',
+    model_hash: options.modelHash || generateModelHash(),
+
+    // Tool and security information
+    tool_allowlist: options.toolAllowlist || generateToolAllowlist(projectRoot),
+    prompts: options.prompts || [],
+
+    // Git and version control information
+    commit: getCurrentCommit(projectRoot),
+    branch: getCurrentBranch(projectRoot),
+    repository: getRepositoryInfo(projectRoot),
+
+    // File and artifact information
+    artifacts: generateArtifactList(projectRoot),
+    dependencies: generateDependencyInfo(projectRoot),
+
+    // Execution results and metadata
+    results: options.results || {},
+    approvals: options.approvals || [],
+    execution_context: generateExecutionContext(),
+
+    // Security and integrity
+    integrity: generateIntegrityInfo(),
+
+    // Timestamps and versioning
+    timestamp: new Date().toISOString(),
+    version: require(path.join(projectRoot, 'package.json')).version || '1.0.0',
+    provenance_hash: generateProvenanceHash(),
+
+    // Build and deployment information
+    build_info: generateBuildInfo(projectRoot),
+
+    // Change tracking
+    change_summary: generateChangeSummary(projectRoot),
+  };
+}
+
+// Mock provenance saving
+function saveProvenance(provenance, filepath) {
+  const dir = path.dirname(filepath);
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true });
+  }
+  fs.writeFileSync(filepath, JSON.stringify(provenance, null, 2));
+}
+
+module.exports = {
+  generateProvenance,
+  saveProvenance,
+};

package/templates/scripts/quality-gates/check-god-objects.js

@@ -0,0 +1,146 @@
+#!/usr/bin/env node
+
+/**
+ * God Object Detector
+ * 
+ * Checks for god objects (large files) in staged files only.
+ * This script is automatically generated by CAWS scaffold.
+ * 
+ * @author @darianrosebrook
+ */
+
+const fs = require('fs');
+const path = require('path');
+const { execSync } = require('child_process');
+
+// Configuration
+const CONFIG = {
+  godObjectThresholds: {
+    warning: 1750,
+    critical: 2000,
+  },
+};
+
+// Collect staged Rust files only
+function collectStagedRustFiles() {
+  try {
+    // Get staged files
+    const stagedFiles = execSync("git diff --cached --name-only", {
+      encoding: "utf8",
+    })
+      .trim()
+      .split("\n")
+      .filter((file) => file.trim() !== "");
+
+    // Filter for Rust files
+    const rustFiles = stagedFiles.filter((file) => file.endsWith(".rs"));
+
+    // Convert to absolute paths
+    const RUST_FILES = [];
+    for (const file of rustFiles) {
+      const fullPath = path.resolve(file);
+      if (fs.existsSync(fullPath)) {
+        RUST_FILES.push(fullPath);
+      }
+    }
+
+    console.log(`📁 Found ${rustFiles.length} staged Rust files to check`);
+    return RUST_FILES;
+  } catch (error) {
+    console.warn(`⚠️  Could not get staged files: ${error.message}`);
+    return [];
+  }
+}
+
+// Check for god objects
+function checkGodObjects() {
+  const RUST_FILES = collectStagedRustFiles();
+  
+  if (RUST_FILES.length === 0) {
+    console.log("✅ No staged Rust files to check for god objects");
+    return { violations: [], warnings: [] };
+  }
+
+  const violations = [];
+  const warnings = [];
+
+  for (const filePath of RUST_FILES) {
+    try {
+      const content = fs.readFileSync(filePath, 'utf8');
+      const lineCount = content.split('\n').length;
+      const relativePath = path.relative(process.cwd(), filePath);
+
+      if (lineCount >= CONFIG.godObjectThresholds.critical) {
+        violations.push({
+          file: relativePath,
+          lines: lineCount,
+          message: `CRITICAL: ${lineCount} LOC exceeds god object threshold (${CONFIG.godObjectThresholds.critical}+ LOC)`
+        });
+      } else if (lineCount >= CONFIG.godObjectThresholds.warning) {
+        warnings.push({
+          file: relativePath,
+          lines: lineCount,
+          message: `WARNING: ${lineCount} LOC approaches god object territory (${CONFIG.godObjectThresholds.warning}+ LOC)`
+        });
+      }
+    } catch (error) {
+      console.warn(`⚠️  Could not analyze ${filePath}: ${error.message}`);
+    }
+  }
+
+  return { violations, warnings };
+}
+
+// Check for god object regression
+function checkGodObjectRegression() {
+  const RUST_FILES = collectStagedRustFiles();
+  
+  if (RUST_FILES.length === 0) {
+    return { regression: false };
+  }
+
+  // This is a simplified check - in a real implementation,
+  // you might want to compare against previous commits
+  const results = checkGodObjects();
+  
+  return {
+    regression: results.violations.length > 0,
+    violations: results.violations,
+    warnings: results.warnings
+  };
+}
+
+// Main execution
+function main() {
+  console.log("🏗️  Checking god objects...");
+  
+  const results = checkGodObjects();
+  
+  if (results.violations.length > 0) {
+    console.log("   ❌ God object violations detected:");
+    results.violations.forEach(violation => {
+      console.log(`      ${violation.file}: ${violation.message}`);
+    });
+    process.exit(1);
+  } else {
+    console.log("   ✅ No blocking god object violations");
+  }
+  
+  if (results.warnings.length > 0) {
+    console.log("   ⚠️  God object warnings:");
+    results.warnings.forEach(warning => {
+      console.log(`      ${warning.file}: ${warning.message}`);
+    });
+  }
+}
+
+// Run if called directly
+if (require.main === module) {
+  main();
+}
+
+module.exports = {
+  checkGodObjects,
+  checkGodObjectRegression,
+  collectStagedRustFiles,
+};

package/templates/scripts/quality-gates/run-quality-gates.js

@@ -0,0 +1,50 @@
+#!/usr/bin/env node
+
+/**
+ * Quality Gates Runner
+ * 
+ * Runs comprehensive quality gates on staged files only.
+ * This script is automatically generated by CAWS scaffold.
+ * 
+ * @author @darianrosebrook
+ */
+
+const { runQualityGates } = require('@paths.design/caws-cli/src/utils/quality-gates');
+
+// Parse command line arguments
+const args = process.argv.slice(2);
+const options = {
+  languages: ['rust'],
+  checkTodos: true,
+  checkGodObjects: true,
+  ci: args.includes('--ci') || args.includes('--ci-mode')
+};
+
+// Extract languages from arguments
+const langIndex = args.indexOf('--languages');
+if (langIndex !== -1 && args[langIndex + 1]) {
+  options.languages = args[langIndex + 1].split(',').map(lang => lang.trim());
+}
+
+// Check for disable flags
+if (args.includes('--no-todos')) {
+  options.checkTodos = false;
+}
+
+if (args.includes('--no-god-objects')) {
+  options.checkGodObjects = false;
+}
+
+// Run quality gates
+try {
+  const results = runQualityGates(options);
+  
+  if (!results.passed && options.ci) {
+    process.exit(1);
+  }
+} catch (error) {
+  console.error(`❌ Quality gates failed: ${error.message}`);
+  if (options.ci) {
+    process.exit(1);
+  }
+}