@paulduvall/claude-dev-toolkit 0.0.1-alpha.19 → 0.0.1-alpha.21

package/hooks/security_secrets.py

@@ -0,0 +1,81 @@
+"""Hardcoded secrets detection via regex patterns.
+
+Scans source lines for common secret patterns: API keys, tokens,
+private key headers, and credential URLs. Skips known false positives.
+"""
+
+from __future__ import annotations
+
+import re
+
+from smell_types import FIXES, Smell
+
+# ---------------------------------------------------------------------------
+# Secret patterns -- each is (compiled_regex, description)
+# ---------------------------------------------------------------------------
+
+_PATTERNS: list[tuple[re.Pattern[str], str]] = [
+    (re.compile(r"AKIA[0-9A-Z]{16}"), "AWS access key"),
+    (re.compile(r"ghp_[0-9a-zA-Z]{36}"), "GitHub personal access token"),
+    (re.compile(r"gho_[0-9a-zA-Z]{36}"), "GitHub OAuth token"),
+    (re.compile(r"xoxb-[0-9]{10,13}-[0-9a-zA-Z-]+"), "Slack bot token"),
+    (re.compile(r"xoxp-[0-9]{10,13}-[0-9a-zA-Z-]+"), "Slack user token"),
+    (re.compile(r"sk_live_[0-9a-zA-Z]{24,}"), "Stripe secret key"),
+    (re.compile(r"rk_live_[0-9a-zA-Z]{24,}"), "Stripe restricted key"),
+    (re.compile(r"AIza[0-9A-Za-z_-]{35}"), "Google API key"),
+    (re.compile(r"sk-[0-9a-zA-Z]{20,}T3BlbkFJ[0-9a-zA-Z]+"), "OpenAI API key"),
+    (re.compile(r"-----BEGIN\s+(RSA |EC |DSA )?PRIVATE KEY-----"), "private key"),
+    (re.compile(r"[a-zA-Z+]+://[^:]+:[^@]+@[^\s]+"), "credentials in URL"),
+]
+
+# ---------------------------------------------------------------------------
+# False-positive skip heuristics
+# ---------------------------------------------------------------------------
+
+_FP_WORDS = re.compile(
+    r"(example|fake|test|dummy|placeholder|xxxx|TODO|CHANGEME)",
+    re.IGNORECASE,
+)
+
+
+def _is_false_positive(line: str) -> bool:
+    """Return True if the line looks like a placeholder or example."""
+    stripped = line.strip()
+    if stripped.startswith(("#", "//", "/*", "*")):
+        return True
+    return bool(_FP_WORDS.search(stripped))
+
+
+# ---------------------------------------------------------------------------
+# Public API
+# ---------------------------------------------------------------------------
+
+def _match_line(line: str, lineno: int) -> Smell | None:
+    """Check a single line against all secret patterns."""
+    if _is_false_positive(line):
+        return None
+    for pattern, desc in _PATTERNS:
+        if pattern.search(line):
+            return Smell(
+                "secrets", desc, lineno,
+                f"possible {desc} detected",
+                FIXES["secrets"],
+            )
+    return None
+
+
+def check_secrets(lines: list[str]) -> list[Smell]:
+    """Scan lines for hardcoded secret patterns.
+
+    Args:
+        lines: Source file lines to scan.
+
+    Returns:
+        List of Smell objects for detected secrets.
+    """
+    smells: list[Smell] = []
+    for lineno, line in enumerate(lines, start=1):
+        smell = _match_line(line, lineno)
+        if smell is not None:
+            smells.append(smell)
+    return smells

package/hooks/security_trojan.py

@@ -0,0 +1,61 @@
+"""Unicode trojan source detection.
+
+Detects bidirectional override characters and zero-width characters
+that can be used to disguise malicious code. BOM at file start is allowed.
+"""
+
+from __future__ import annotations
+
+import re
+
+from smell_types import FIXES, Smell
+
+# Bidi overrides: U+202A-U+202E
+_BIDI_OVERRIDES = re.compile(r"[\u202A-\u202E]")
+# Bidi isolates: U+2066-U+2069
+_BIDI_ISOLATES = re.compile(r"[\u2066-\u2069]")
+# Zero-width chars: U+200B-U+200F, U+FEFF (BOM)
+_ZERO_WIDTH = re.compile(r"[\u200B-\u200F\uFEFF]")
+
+
+def _check_bidi(line: str, lineno: int) -> Smell | None:
+    """Check a single line for bidi override/isolate characters."""
+    if _BIDI_OVERRIDES.search(line) or _BIDI_ISOLATES.search(line):
+        return Smell(
+            "trojan_bidi", "bidi-override", lineno,
+            "Unicode bidi override character detected",
+            FIXES["trojan_bidi"],
+        )
+    return None
+
+
+def _check_zero_width(line: str, lineno: int) -> Smell | None:
+    """Check a single line for zero-width characters."""
+    match = _ZERO_WIDTH.search(line)
+    if not match:
+        return None
+    if lineno == 1 and match.start() == 0 and match.group() == "\uFEFF":
+        return None
+    return Smell(
+        "trojan_zero_width", "zero-width-char", lineno,
+        "zero-width Unicode character detected",
+        FIXES["trojan_zero_width"],
+    )
+
+
+def check_trojan(lines: list[str]) -> list[Smell]:
+    """Scan lines for trojan source Unicode characters.
+
+    Args:
+        lines: Source file lines to scan.
+
+    Returns:
+        List of Smell objects for detected trojan characters.
+    """
+    smells: list[Smell] = []
+    for lineno, line in enumerate(lines, start=1):
+        for checker in (_check_bidi, _check_zero_width):
+            result = checker(line, lineno)
+            if result is not None:
+                smells.append(result)
+    return smells

package/hooks/settings.example.json

@@ -0,0 +1,52 @@
+{
+  "hooks": {
+    "PostToolUse": [
+      {
+        "matcher": "Write|Edit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "python3 ~/.claude/hooks/check-complexity.py"
+          },
+          {
+            "type": "command",
+            "command": "python3 ~/.claude/hooks/check-security.py"
+          }
+        ]
+      }
+    ],
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "python3 ~/.claude/hooks/check-commit-signing.py"
+          }
+        ]
+      }
+    ],
+    "Stop": [
+      {
+        "matcher": "",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash ~/.claude/hooks/tab-color.sh green"
+          }
+        ]
+      }
+    ],
+    "UserPromptSubmit": [
+      {
+        "matcher": "",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash ~/.claude/hooks/tab-color.sh blue"
+          }
+        ]
+      }
+    ]
+  }
+}

package/hooks/smell_checks.py

@@ -0,0 +1,238 @@
+"""Code smell detection -- file-level checks, lizard checks, orchestration.
+
+Delegates Python AST analysis to smell_python, JS/TS analysis to
+smell_javascript, and shared types to smell_types.  This module
+provides the public API: check_file() and format_violations().
+"""
+
+from __future__ import annotations
+
+import os
+
+from config import Config, DEFAULT_CONFIG, is_file_suppressed, load_config
+from suppression import filter_suppressed
+from smell_types import (
+    DUPLICATE_MIN_LINES,
+    DUPLICATE_MIN_OCCURRENCES,
+    FIXES,
+    MAX_PARAMETERS,
+    MAX_COMPLEXITY,
+    MAX_FUNCTION_LINES,
+    Smell,
+    apply_threshold_checks,
+)
+from smell_javascript import check_javascript
+from smell_python import check_python
+from smell_ruff import RUFF_EXTS, check_ruff
+
+# ---------------------------------------------------------------------------
+# File-level: length
+# ---------------------------------------------------------------------------
+
+def check_file_length(
+    file_path: str, lines: list[str], config: Config | None = None,
+) -> list[Smell]:
+    """Flag files exceeding the configured max file lines."""
+    limit = (config or DEFAULT_CONFIG).max_file_lines
+    count = len(lines)
+    if count <= limit:
+        return []
+    return [Smell(
+        "long_file", os.path.basename(file_path), 1,
+        f"file is {count} lines (max {limit})",
+        FIXES["long_file"],
+    )]
+
+
+# ---------------------------------------------------------------------------
+# File-level: duplicate blocks
+# ---------------------------------------------------------------------------
+
+_SKIP_PREFIXES = ("import ", "from ", "export ", "require(", "#", "//", "/*")
+_TRIVIAL_LINES = frozenset((
+    "{", "}", "(", ")", "[", "]",
+    "else:", "else {", "try:", "finally:",
+))
+
+
+def _is_trivial(line: str) -> bool:
+    """Return True for lines to skip in duplicate detection."""
+    stripped = line.strip()
+    if not stripped or stripped in _TRIVIAL_LINES:
+        return True
+    return stripped.startswith(_SKIP_PREFIXES)
+
+
+def _build_fingerprints(lines: list[str]) -> dict[tuple[str, ...], list[int]]:
+    """Map fingerprints of consecutive non-trivial lines to positions."""
+    entries = [
+        (i + 1, line.strip())
+        for i, line in enumerate(lines)
+        if not _is_trivial(line)
+    ]
+    fps: dict[tuple[str, ...], list[int]] = {}
+    for i in range(len(entries) - DUPLICATE_MIN_LINES + 1):
+        window = entries[i : i + DUPLICATE_MIN_LINES]
+        fp = tuple(e[1] for e in window)
+        fps.setdefault(fp, []).append(window[0][0])
+    return fps
+
+
+def _overlaps(locs: list[int], reported: set[int]) -> bool:
+    """Return True if any location overlaps already-reported lines."""
+    return any(
+        loc + i in reported
+        for loc in locs
+        for i in range(DUPLICATE_MIN_LINES)
+    )
+
+
+def _mark_reported(locs: list[int], reported: set[int]) -> None:
+    """Add all lines covered by locs into the reported set."""
+    for loc in locs:
+        reported.update(range(loc, loc + DUPLICATE_MIN_LINES))
+
+
+def _make_dup_smell(locs: list[int]) -> Smell:
+    """Create a Smell for a single duplicate block occurrence."""
+    loc_str = ", ".join(str(loc) for loc in locs[:4])
+    return Smell(
+        "duplicate_block", "<repeated-code>", locs[0],
+        f"{DUPLICATE_MIN_LINES}-line block repeated at lines {loc_str}",
+        FIXES["duplicate_block"],
+    )
+
+
+def check_duplicate_blocks(
+    file_path: str, lines: list[str], config: Config | None = None,
+) -> list[Smell]:
+    """Detect repeated consecutive code blocks within a file."""
+    fps = _build_fingerprints(lines)
+    smells: list[Smell] = []
+    reported: set[int] = set()
+    for _fp, locs in sorted(fps.items(), key=lambda x: x[1][0]):
+        if len(locs) < DUPLICATE_MIN_OCCURRENCES:
+            continue
+        if _overlaps(locs, reported):
+            continue
+        _mark_reported(locs, reported)
+        smells.append(_make_dup_smell(locs))
+        if len(smells) >= 3:
+            break
+    return smells
+
+
+# ---------------------------------------------------------------------------
+# Lizard-based checks (non-JS/TS languages)
+# ---------------------------------------------------------------------------
+
+def _check_lizard_func(func: object) -> list[Smell]:
+    """Check a single lizard function result for smells."""
+    name = getattr(func, "name", "<unknown>")
+    line = getattr(func, "start_line", 0)
+    return apply_threshold_checks(name, line, [
+        ("complexity", getattr(func, "cyclomatic_complexity", 0), MAX_COMPLEXITY),
+        ("long_function", getattr(func, "nloc", 0), MAX_FUNCTION_LINES),
+        ("too_many_params", len(getattr(func, "parameters", [])), MAX_PARAMETERS),
+    ])
+
+
+def check_with_lizard(file_path: str) -> list[Smell]:
+    """Use lizard for CC, function length, and parameter count."""
+    try:
+        import lizard
+    except ImportError:
+        return []
+    try:
+        analysis = lizard.analyze_file(file_path)
+    except Exception:
+        return []
+    smells: list[Smell] = []
+    for func in analysis.function_list:
+        smells.extend(_check_lizard_func(func))
+    return smells
+
+
+# ---------------------------------------------------------------------------
+# Orchestration
+# ---------------------------------------------------------------------------
+
+PYTHON_EXTS = frozenset((".py",))
+JS_EXTS = frozenset((".js", ".jsx", ".ts", ".tsx"))
+LIZARD_EXTS = frozenset((".java", ".go", ".rs", ".c", ".cpp", ".cs"))
+ALL_EXTS = PYTHON_EXTS | JS_EXTS | LIZARD_EXTS
+SKIP_DIRS = frozenset((
+    "node_modules", "__pycache__", ".git", "dist", "build", ".next",
+))
+
+
+def _should_skip(file_path: str) -> bool:
+    """Return True for paths in ignored directories."""
+    parts = set(file_path.replace("\\", "/").split("/"))
+    return bool(SKIP_DIRS & parts)
+
+
+def _read_source(file_path: str) -> str | None:
+    """Read file contents, returning None on failure."""
+    try:
+        with open(file_path, "r", encoding="utf-8", errors="replace") as fh:
+            return fh.read()
+    except OSError:
+        return None
+
+
+def _run_lang_checks(ext: str, file_path: str, source: str) -> list[Smell]:
+    """Run language-specific checks based on file extension."""
+    if ext in PYTHON_EXTS:
+        return check_python(file_path, source)
+    if ext in JS_EXTS:
+        return check_javascript(file_path, source)
+    if ext in LIZARD_EXTS:
+        return check_with_lizard(file_path)
+    return []
+
+
+def _ruff_then_reread(
+    ext: str, file_path: str, source: str,
+) -> tuple[list[Smell], str, list[str]]:
+    """Run ruff on Python files and re-read; return smells + fresh source."""
+    if ext not in RUFF_EXTS:
+        return [], source, source.splitlines()
+    smells = check_ruff(file_path)
+    fresh = _read_source(file_path)
+    if fresh is None:
+        return smells, source, source.splitlines()
+    return smells, fresh, fresh.splitlines()
+
+
+def check_file(file_path: str, config: Config | None = None) -> list[Smell]:
+    """Run all applicable smell checks on a single file."""
+    if config is None:
+        config = load_config(file_path)
+    ext = os.path.splitext(file_path)[1]
+    if ext not in ALL_EXTS or _should_skip(file_path):
+        return []
+    if is_file_suppressed(file_path, config):
+        return []
+    source = _read_source(file_path)
+    if source is None:
+        return []
+    smells, source, lines = _ruff_then_reread(ext, file_path, source)
+    smells.extend(check_file_length(file_path, lines, config))
+    smells.extend(check_duplicate_blocks(file_path, lines, config))
+    smells.extend(_run_lang_checks(ext, file_path, source))
+    return filter_suppressed(smells, lines, "smell")
+
+
+def format_violations(file_path: str, smells: list[Smell]) -> str:
+    """Build the feedback message for Claude."""
+    header = f"\nCODE SMELL VIOLATIONS in {file_path}:"
+    details = []
+    for s in smells:
+        tag = s.kind.upper().replace("_", " ")
+        details.append(f"  [{tag}] {s.name}() line {s.line}: {s.detail}")
+    fixes = ["\nFix these code smells before moving on:"]
+    for fix in dict.fromkeys(s.fix for s in smells):
+        fixes.append(f"  - {fix}")
+    fixes.append("Then notify the user what you fixed and why.")
+    return "\n".join([header, *details, *fixes])

package/hooks/smell_javascript.py

@@ -0,0 +1,231 @@
+"""Native JS/TS token-based code smell checks.
+
+Detects: cyclomatic complexity, long functions, deep nesting,
+and too-many-parameters in JavaScript and TypeScript source files.
+
+Uses a token-based parser (strip comments/strings, regex function
+detection, brace matching) -- zero external dependencies.
+"""
+
+from __future__ import annotations
+
+import re
+from typing import NamedTuple
+
+from smell_types import (
+    MAX_COMPLEXITY,
+    MAX_FUNCTION_LINES,
+    MAX_NESTING_DEPTH,
+    MAX_PARAMETERS,
+    Smell,
+    apply_threshold_checks,
+)
+
+# ---------------------------------------------------------------------------
+# Layer 1 -- Tokenizer: strip comments and strings
+# ---------------------------------------------------------------------------
+
+_COMMENT_OR_STRING = re.compile(
+    r"//[^\n]*"              # single-line comment
+    r"|/\*[\s\S]*?\*/"       # multi-line comment
+    r"|`(?:[^`\\]|\\.)*`"    # template literal
+    r'|"(?:[^"\\]|\\.)*"'    # double-quoted string
+    r"|'(?:[^'\\]|\\.)*'"    # single-quoted string
+    r"|/(?![*/])(?:[^/\\\n]|\\.)+/[gimsuy]*"  # regex literal
+)
+
+
+def _strip_comments_and_strings(source: str) -> str:
+    """Replace comment/string contents with spaces, preserving lines."""
+    def _replacer(match: re.Match[str]) -> str:
+        return re.sub(r"[^\n]", " ", match.group(0))
+    return _COMMENT_OR_STRING.sub(_replacer, source)
+
+
+# ---------------------------------------------------------------------------
+# Layer 2 -- Function Finder
+# ---------------------------------------------------------------------------
+
+class _JsFunc(NamedTuple):
+    """A detected JS/TS function."""
+
+    name: str
+    start_line: int
+    end_line: int
+    params_str: str
+    body_source: str
+
+
+_MAYBE_ASYNC = r"(?:async\s+)?"
+_MAYBE_EXPORT = r"(?:export\s+)?"
+_MAYBE_GENERICS = r"(?:<[^>]*>)?"
+_MAYBE_RETURN_TYPE = r"(?::\s*[^{]+?)?"
+_IDENT = r"(?P<name>[a-zA-Z_$][a-zA-Z0-9_$]*)"
+_PARAMS = r"\((?P<params>[^)]*)\)"
+_DECL_VAR = r"(?:const|let|var)"
+_MAYBE_TYPE_ANN = r"(?::\s*[^=]+?)?"
+_MAYBE_STAR = r"\*?\s*"
+
+# Shared tail: <generics?> (params) <return-type?> {
+_PARAMS_OPEN = r"\s*" + _MAYBE_GENERICS + r"\s*" + _PARAMS + r"\s*" + _MAYBE_RETURN_TYPE
+_VAR_PREFIX = _MAYBE_EXPORT + _DECL_VAR + r"\s+" + _IDENT + r"\s*" + _MAYBE_TYPE_ANN + r"\s*=\s*"
+
+# Patterns that detect function declarations in stripped source.
+_FUNC_PATTERNS = [
+    # function declaration / async function declaration
+    re.compile(
+        _MAYBE_EXPORT + _MAYBE_ASYNC + r"function\s*" + _MAYBE_STAR
+        + _IDENT + _PARAMS_OPEN + r"\s*\{"
+    ),
+    # const/let/var name = function(params) {
+    re.compile(
+        _VAR_PREFIX + _MAYBE_ASYNC + r"function\s*" + _MAYBE_STAR
+        + r"(?:[a-zA-Z_$][a-zA-Z0-9_$]*)?" + _PARAMS_OPEN + r"\s*\{"
+    ),
+    # const/let/var name = (params) => {
+    re.compile(
+        _VAR_PREFIX + _MAYBE_ASYNC + _MAYBE_GENERICS
+        + r"\s*" + _PARAMS + r"\s*" + _MAYBE_RETURN_TYPE + r"\s*=>\s*\{"
+    ),
+    # class method: name(params) {
+    re.compile(
+        r"(?:(?:async|static|get|set|public|private|protected"
+        r"|readonly|override|abstract)\s+)*"
+        + _IDENT + _PARAMS_OPEN + r"\s*\{"
+    ),
+]
+
+
+def _match_brace(source: str, open_pos: int) -> int:
+    """Return index of the closing } that matches the { at open_pos."""
+    depth = 1
+    for i in range(open_pos + 1, len(source)):
+        if source[i] == "{":
+            depth += 1
+            continue
+        if source[i] != "}":
+            continue
+        depth -= 1
+        if depth == 0:
+            return i
+    return len(source) - 1
+
+
+def _line_of(source: str, char_index: int) -> int:
+    """Return 1-based line number for char_index in source."""
+    return source[:char_index].count("\n") + 1
+
+
+def _overlaps_existing(start: int, ranges: list[tuple[int, int]]) -> bool:
+    """Return True if start falls inside an already-claimed range."""
+    return any(r_start <= start < r_end for r_start, r_end in ranges)
+
+
+def _collect_raw_matches(stripped: str) -> list[tuple[int, int, str, str]]:
+    """Scan stripped source for all function matches, deduped by range."""
+    found: list[tuple[int, int, str, str]] = []
+    used: list[tuple[int, int]] = []
+    for pattern in _FUNC_PATTERNS:
+        for match in pattern.finditer(stripped):
+            start = match.start()
+            if _overlaps_existing(start, used):
+                continue
+            brace_pos = stripped.index("{", match.end() - 1)
+            close_pos = _match_brace(stripped, brace_pos)
+            found.append((start, close_pos, match.group("name"), match.group("params")))
+            used.append((start, close_pos))
+    found.sort(key=lambda x: x[0])
+    return found
+
+
+def _find_functions(stripped: str) -> list[_JsFunc]:
+    """Find all functions in the stripped source."""
+    results: list[_JsFunc] = []
+    for start, close, name, params in _collect_raw_matches(stripped):
+        start_line = _line_of(stripped, start)
+        end_line = _line_of(stripped, close)
+        body = stripped[start:close + 1]
+        results.append(_JsFunc(name, start_line, end_line, params, body))
+    return results
+
+
+# ---------------------------------------------------------------------------
+# Layer 3 -- Metric functions
+# ---------------------------------------------------------------------------
+
+_CC_KEYWORDS = re.compile(
+    r"\b(?:if|else\s+if|case|catch|for|while|do)\b"
+)
+_CC_OPERATORS = re.compile(r"&&|\|\||\?\?|\?\.")
+_CC_TERNARY_REAL = re.compile(r"\?(?![.:])")
+
+
+def _js_complexity(body: str) -> int:
+    """Calculate cyclomatic complexity for a JS/TS function body."""
+    cc = 1
+    cc += len(_CC_KEYWORDS.findall(body))
+    cc += len(_CC_OPERATORS.findall(body))
+    cc += len(_CC_TERNARY_REAL.findall(body))
+    return cc
+
+
+def _js_func_lines(start: int, end: int) -> int:
+    """Return line count for a function."""
+    return end - start + 1
+
+
+def _js_nesting_depth(body: str) -> int:
+    """Calculate max nesting depth within a function body."""
+    max_depth = 0
+    depth = 0
+    for ch in body:
+        if ch == "{":
+            depth += 1
+            max_depth = max(max_depth, depth)
+        elif ch == "}":
+            depth = max(depth - 1, 0)
+    # Subtract 1 for the function's own braces
+    return max(max_depth - 1, 0)
+
+
+_TS_TYPE_ANNOTATION = re.compile(r"\s*[?!]?\s*:\s*[^,)]+")
+
+
+def _js_param_count(params_str: str) -> int:
+    """Count parameters, stripping TS type annotations."""
+    params = params_str.strip()
+    if not params:
+        return 0
+    cleaned = _TS_TYPE_ANNOTATION.sub("", params)
+    parts = [p.strip() for p in cleaned.split(",") if p.strip()]
+    return len(parts)
+
+
+# ---------------------------------------------------------------------------
+# Public API
+# ---------------------------------------------------------------------------
+
+def _check_js_func(func: _JsFunc) -> list[Smell]:
+    """Check a single JS/TS function for all smells."""
+    return apply_threshold_checks(func.name, func.start_line, [
+        ("complexity", _js_complexity(func.body_source), MAX_COMPLEXITY),
+        ("long_function", _js_func_lines(func.start_line, func.end_line),
+         MAX_FUNCTION_LINES),
+        ("deep_nesting", _js_nesting_depth(func.body_source),
+         MAX_NESTING_DEPTH),
+        ("too_many_params", _js_param_count(func.params_str),
+         MAX_PARAMETERS),
+    ])
+
+
+def check_javascript(file_path: str, source: str) -> list[Smell]:
+    """Run all token-based smell checks on a JS/TS file."""
+    try:
+        stripped = _strip_comments_and_strings(source)
+        funcs = _find_functions(stripped)
+    except Exception:
+        return []
+    smells: list[Smell] = []
+    for func in funcs:
+        smells.extend(_check_js_func(func))
+    return smells