@prajwolkc/stk 0.5.1 → 0.7.0

package/dist/services/brain.js

@@ -2,6 +2,7 @@ import { readFileSync, writeFileSync, existsSync, mkdirSync, readdirSync } from
 import { join, resolve, basename } from "path";
 import { homedir } from "os";
 import { randomUUID } from "crypto";
+import { execSync } from "child_process";
 import { loadConfig } from "../lib/config.js";
 // ──────────────────────────────────────────
 // Storage
@@ -524,3 +525,165 @@ export async function syncBrain() {
         errors: [...pushResult.errors, ...pullResult.errors],
     };
 }
+/** Search brain with relevance scoring — returns entries ranked by how many terms match */
+export function smartSearch(terms, category) {
+    const store = loadBrainStore();
+    let entries = getAllEntries(store);
+    if (category) {
+        entries = entries.filter(e => e.category === category);
+    }
+    const normalizedTerms = terms.map(t => t.toLowerCase());
+    const scored = [];
+    for (const entry of entries) {
+        const searchText = `${entry.title} ${entry.content} ${entry.tags.join(" ")}`.toLowerCase();
+        const matchedTerms = [];
+        let score = 0;
+        for (const term of normalizedTerms) {
+            if (searchText.includes(term)) {
+                matchedTerms.push(term);
+                // Title match scores higher
+                if (entry.title.toLowerCase().includes(term))
+                    score += 3;
+                // Tag match scores high
+                else if (entry.tags.some(t => t.toLowerCase().includes(term)))
+                    score += 2;
+                // Content match
+                else
+                    score += 1;
+            }
+        }
+        // Boost gotcha/debugging entries
+        if (entry.tags.some(t => ["gotcha", "debugging", "bug", "fix", "issue"].includes(t))) {
+            score *= 1.5;
+        }
+        if (score > 0) {
+            scored.push({ entry, score, matchedTerms });
+        }
+    }
+    return scored.sort((a, b) => b.score - a.score);
+}
+/** Extract relevant terms from a task description */
+export function extractTerms(description) {
+    const stopWords = new Set([
+        "a", "an", "the", "is", "are", "was", "were", "be", "been", "being",
+        "have", "has", "had", "do", "does", "did", "will", "would", "could",
+        "should", "may", "might", "shall", "can", "need", "must", "to", "of",
+        "in", "for", "on", "with", "at", "by", "from", "as", "into", "about",
+        "like", "through", "after", "before", "between", "under", "above",
+        "and", "but", "or", "not", "no", "so", "if", "then", "than", "too",
+        "very", "just", "also", "how", "what", "when", "where", "why", "which",
+        "that", "this", "these", "those", "it", "its", "i", "we", "you", "they",
+        "me", "us", "my", "our", "your", "add", "implement", "create", "build",
+        "make", "want", "get", "set", "use", "new", "update", "change",
+    ]);
+    const words = description.toLowerCase()
+        .replace(/[^a-z0-9\s-]/g, " ")
+        .split(/\s+/)
+        .filter(w => w.length > 2 && !stopWords.has(w));
+    // Also extract multi-word phrases
+    const phrases = [];
+    const desc = description.toLowerCase();
+    const commonPhrases = [
+        "email verification", "password reset", "auth state", "user select",
+        "prisma select", "react context", "protected route", "refresh token",
+        "rate limit", "soft delete", "multi-tenant", "org scoping",
+        "file upload", "webhook", "cron job", "background job",
+        "api key", "role based", "permission", "middleware",
+    ];
+    for (const phrase of commonPhrases) {
+        if (desc.includes(phrase))
+            phrases.push(phrase);
+    }
+    return [...new Set([...words, ...phrases])];
+}
+/** Proactive check — find gotchas relevant to a task before coding */
+export function brainCheck(taskDescription) {
+    const terms = extractTerms(taskDescription);
+    return smartSearch(terms);
+}
+/** Diagnose an error — find matching patterns from past issues */
+export function brainDiagnose(error) {
+    const terms = extractTerms(error);
+    // Add error-specific terms
+    const errorTerms = error.toLowerCase()
+        .replace(/[^a-z0-9\s]/g, " ")
+        .split(/\s+/)
+        .filter(w => w.length > 3);
+    const allTerms = [...new Set([...terms, ...errorTerms])];
+    return smartSearch(allTerms);
+}
+/** Seed brain with curated patterns (idempotent) */
+export function seedBrain(patterns, force = false) {
+    const store = loadBrainStore();
+    if (force) {
+        // Remove existing seed entries
+        store.global = store.global.filter(e => !e.source.startsWith("seed:"));
+    }
+    const existingIds = new Set(getAllEntries(store).map(e => e.id));
+    let added = 0;
+    let skipped = 0;
+    for (const entry of patterns) {
+        if (existingIds.has(entry.id)) {
+            skipped++;
+            continue;
+        }
+        store.global.push(entry);
+        added++;
+    }
+    if (added > 0)
+        saveBrainStore(store);
+    return { added, skipped };
+}
+export function reviewDiff(diff) {
+    const results = [];
+    // Split diff into per-file chunks
+    const fileChunks = diff.split(/^diff --git /m).slice(1);
+    for (const chunk of fileChunks) {
+        const pathMatch = chunk.match(/b\/(.+?)[\s\n]/);
+        if (!pathMatch)
+            continue;
+        const filePath = pathMatch[1];
+        // Count changed lines
+        const addedLines = (chunk.match(/^\+[^+]/gm) ?? []).length;
+        const removedLines = (chunk.match(/^-[^-]/gm) ?? []).length;
+        const linesChanged = addedLines + removedLines;
+        // Extract terms from filename and changed content
+        const addedContent = (chunk.match(/^\+(.+)$/gm) ?? []).map(l => l.slice(1)).join(" ");
+        const searchText = `${filePath} ${addedContent}`;
+        const terms = extractTerms(searchText);
+        // Also add file-extension-based terms
+        if (filePath.endsWith(".prisma"))
+            terms.push("prisma", "schema", "database");
+        if (filePath.includes("auth"))
+            terms.push("auth", "authentication");
+        if (filePath.includes("route"))
+            terms.push("route", "api", "endpoint");
+        if (filePath.includes("middleware"))
+            terms.push("middleware");
+        if (filePath.includes("docker") || filePath.includes("Dockerfile"))
+            terms.push("docker", "container");
+        const matches = smartSearch([...new Set(terms)]);
+        if (matches.length > 0) {
+            results.push({
+                file: filePath,
+                linesChanged,
+                warnings: matches.slice(0, 3).map(m => ({
+                    title: m.entry.title,
+                    content: m.entry.content.slice(0, 300),
+                    relevance: m.score,
+                    source: m.entry.source,
+                })),
+            });
+        }
+    }
+    return results;
+}
+/** Get contributor name from git config */
+export function getContributor() {
+    try {
+        return execSync("git config user.name", { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] }).trim();
+    }
+    catch {
+        return "unknown";
+    }
+}

package/dist/services/metrics.d.ts

@@ -0,0 +1,35 @@
+export interface MetricEntry {
+    timestamp: string;
+    type: "deploy" | "health_check" | "error" | "response_time";
+    value: number;
+    metadata: Record<string, string>;
+}
+interface MetricsStore {
+    version: 1;
+    entries: MetricEntry[];
+}
+export declare function loadMetrics(): MetricsStore;
+export declare function saveMetrics(store: MetricsStore): void;
+export declare function recordMetric(type: MetricEntry["type"], value: number, metadata?: Record<string, string>): void;
+export declare function getMetrics(type?: MetricEntry["type"], days?: number, limit?: number): MetricEntry[];
+export declare function getBaseline(type: MetricEntry["type"]): number;
+export declare function compareToBaseline(type: MetricEntry["type"]): {
+    current: number;
+    baseline: number;
+    changePct: number;
+    status: "degraded" | "stable" | "improved";
+};
+export declare function getDeployFrequency(days?: number): {
+    total: number;
+    perDay: number;
+};
+export declare function getErrorRate(days?: number): {
+    total: number;
+    perDay: number;
+};
+export declare function getUptime(days?: number): {
+    checks: number;
+    healthy: number;
+    pct: number;
+};
+export {};

package/dist/services/metrics.js

@@ -0,0 +1,78 @@
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+const STK_DIR = join(homedir(), ".stk");
+const METRICS_PATH = join(STK_DIR, "metrics.json");
+const MAX_ENTRIES = 1000;
+function ensureDir() {
+    if (!existsSync(STK_DIR))
+        mkdirSync(STK_DIR, { recursive: true });
+}
+export function loadMetrics() {
+    ensureDir();
+    if (!existsSync(METRICS_PATH))
+        return { version: 1, entries: [] };
+    try {
+        return JSON.parse(readFileSync(METRICS_PATH, "utf-8"));
+    }
+    catch {
+        return { version: 1, entries: [] };
+    }
+}
+export function saveMetrics(store) {
+    ensureDir();
+    writeFileSync(METRICS_PATH, JSON.stringify(store, null, 2));
+}
+export function recordMetric(type, value, metadata = {}) {
+    const store = loadMetrics();
+    store.entries.push({ timestamp: new Date().toISOString(), type, value, metadata });
+    // Evict oldest if over limit
+    if (store.entries.length > MAX_ENTRIES) {
+        store.entries = store.entries.slice(-MAX_ENTRIES);
+    }
+    saveMetrics(store);
+}
+export function getMetrics(type, days = 7, limit = 100) {
+    const store = loadMetrics();
+    const since = new Date(Date.now() - days * 86400000).toISOString();
+    let entries = store.entries.filter(e => e.timestamp >= since);
+    if (type)
+        entries = entries.filter(e => e.type === type);
+    return entries.slice(-limit);
+}
+export function getBaseline(type) {
+    const store = loadMetrics();
+    const ofType = store.entries.filter(e => e.type === type).slice(-10);
+    if (ofType.length === 0)
+        return 0;
+    return ofType.reduce((sum, e) => sum + e.value, 0) / ofType.length;
+}
+export function compareToBaseline(type) {
+    const store = loadMetrics();
+    const ofType = store.entries.filter(e => e.type === type);
+    if (ofType.length < 2)
+        return { current: 0, baseline: 0, changePct: 0, status: "stable" };
+    const recent = ofType.slice(-3);
+    const older = ofType.slice(-13, -3);
+    const current = recent.reduce((s, e) => s + e.value, 0) / recent.length;
+    const baseline = older.length > 0 ? older.reduce((s, e) => s + e.value, 0) / older.length : current;
+    const changePct = baseline === 0 ? 0 : Math.round(((current - baseline) / baseline) * 100);
+    const status = changePct > 20 ? "degraded" : changePct < -20 ? "improved" : "stable";
+    return { current: Math.round(current * 100) / 100, baseline: Math.round(baseline * 100) / 100, changePct, status };
+}
+export function getDeployFrequency(days = 7) {
+    const entries = getMetrics("deploy", days, 1000);
+    const perDay = days > 0 ? Math.round((entries.length / days) * 10) / 10 : 0;
+    return { total: entries.length, perDay };
+}
+export function getErrorRate(days = 7) {
+    const entries = getMetrics("error", days, 1000);
+    const perDay = days > 0 ? Math.round((entries.length / days) * 10) / 10 : 0;
+    return { total: entries.length, perDay };
+}
+export function getUptime(days = 7) {
+    const entries = getMetrics("health_check", days, 1000);
+    const healthy = entries.filter(e => e.value > 0).length;
+    const pct = entries.length > 0 ? Math.round((healthy / entries.length) * 1000) / 10 : 100;
+    return { checks: entries.length, healthy, pct };
+}

package/dist/services/security.d.ts

@@ -0,0 +1,19 @@
+export interface SecurityFinding {
+    check: string;
+    level: "critical" | "warning" | "info";
+    message: string;
+    file?: string;
+    fix?: string;
+}
+/** Check for exposed secrets in .env files */
+export declare function checkSecrets(): SecurityFinding[];
+/** Check for outdated/vulnerable dependencies */
+export declare function checkDeps(): SecurityFinding[];
+/** Check for missing rate limiting */
+export declare function checkRateLimit(): SecurityFinding[];
+/** Check for open CORS */
+export declare function checkCors(): SecurityFinding[];
+/** Check for routes without auth middleware */
+export declare function checkAuth(): SecurityFinding[];
+/** Run all security checks */
+export declare function runAllChecks(checks?: string[]): SecurityFinding[];

package/dist/services/security.js

@@ -0,0 +1,194 @@
+import { readFileSync, existsSync, readdirSync } from "fs";
+import { execSync } from "child_process";
+import { resolve, join } from "path";
+/** Check for exposed secrets in .env files */
+export function checkSecrets() {
+    const findings = [];
+    const envFiles = [".env", ".env.local", ".env.production", ".env.staging"];
+    // Check if .gitignore exists and covers env files
+    let gitignoreContent = "";
+    if (existsSync(".gitignore")) {
+        gitignoreContent = readFileSync(".gitignore", "utf-8");
+    }
+    for (const file of envFiles) {
+        if (!existsSync(file))
+            continue;
+        if (!gitignoreContent.includes(file) && !gitignoreContent.includes(".env*") && !gitignoreContent.includes(".env")) {
+            findings.push({
+                check: "secrets",
+                level: "critical",
+                message: `${file} is NOT in .gitignore — secrets may be committed`,
+                file,
+                fix: `Add "${file}" to .gitignore`,
+            });
+        }
+        const content = readFileSync(file, "utf-8");
+        const lines = content.split("\n");
+        for (const line of lines) {
+            const [key, ...rest] = line.split("=");
+            const value = rest.join("=").trim();
+            if (!key || !value || key.startsWith("#"))
+                continue;
+            // Check for known secret patterns
+            if (value.startsWith("AKIA") && key.includes("AWS")) {
+                findings.push({ check: "secrets", level: "critical", message: `AWS access key found in ${file}`, file, fix: "Use environment variables or secrets manager" });
+            }
+            if (value.startsWith("sk_live_")) {
+                findings.push({ check: "secrets", level: "critical", message: `Live Stripe secret key in ${file}`, file, fix: "Use sk_test_ for development" });
+            }
+            if (key.includes("JWT_SECRET") && value.length < 32) {
+                findings.push({ check: "secrets", level: "warning", message: `JWT_SECRET is short (${value.length} chars) — use at least 32`, file, fix: "Generate a longer secret: openssl rand -hex 32" });
+            }
+        }
+    }
+    return findings;
+}
+/** Check for outdated/vulnerable dependencies */
+export function checkDeps() {
+    const findings = [];
+    const pkgPaths = ["package.json", "node-backend/package.json", "frontend/package.json", "backend/package.json"];
+    for (const pkg of pkgPaths) {
+        if (!existsSync(pkg))
+            continue;
+        const dir = pkg === "package.json" ? "." : pkg.replace("/package.json", "");
+        try {
+            const result = execSync(`npm audit --json 2>/dev/null`, { cwd: resolve(dir), encoding: "utf-8", timeout: 30000 });
+            const audit = JSON.parse(result);
+            const vulns = audit.metadata?.vulnerabilities ?? {};
+            const critical = vulns.critical ?? 0;
+            const high = vulns.high ?? 0;
+            const moderate = vulns.moderate ?? 0;
+            if (critical > 0) {
+                findings.push({ check: "deps", level: "critical", message: `${critical} critical vulnerabilities in ${dir}`, file: pkg, fix: "Run: npm audit fix" });
+            }
+            if (high > 0) {
+                findings.push({ check: "deps", level: "warning", message: `${high} high vulnerabilities in ${dir}`, file: pkg, fix: "Run: npm audit fix" });
+            }
+            if (moderate > 0) {
+                findings.push({ check: "deps", level: "info", message: `${moderate} moderate vulnerabilities in ${dir}`, file: pkg });
+            }
+        }
+        catch {
+            // npm audit returns non-zero when vulns found
+            try {
+                const stderr = execSync(`npm audit --json 2>&1 || true`, { cwd: resolve(dir), encoding: "utf-8", timeout: 30000 });
+                const audit = JSON.parse(stderr);
+                const vulns = audit.metadata?.vulnerabilities ?? {};
+                if ((vulns.critical ?? 0) > 0) {
+                    findings.push({ check: "deps", level: "critical", message: `${vulns.critical} critical vulnerabilities in ${dir}`, file: pkg });
+                }
+                if ((vulns.high ?? 0) > 0) {
+                    findings.push({ check: "deps", level: "warning", message: `${vulns.high} high vulnerabilities in ${dir}`, file: pkg });
+                }
+            }
+            catch { /* skip */ }
+        }
+    }
+    return findings;
+}
+/** Check for missing rate limiting */
+export function checkRateLimit() {
+    const findings = [];
+    const routeDirs = ["src/routes", "node-backend/src/routes", "backend/src/routes", "api/src/routes"];
+    for (const dir of routeDirs) {
+        if (!existsSync(dir))
+            continue;
+        // Check if rate limiter middleware exists
+        const middlewareDirs = [
+            dir.replace("/routes", "/middleware"),
+            dir.replace("/routes", "/middlewares"),
+        ];
+        let hasRateLimit = false;
+        for (const mDir of middlewareDirs) {
+            if (!existsSync(mDir))
+                continue;
+            const files = readdirSync(mDir);
+            for (const f of files) {
+                const content = readFileSync(join(mDir, f), "utf-8");
+                if (content.includes("rate") && content.includes("limit")) {
+                    hasRateLimit = true;
+                    break;
+                }
+            }
+        }
+        if (!hasRateLimit) {
+            findings.push({
+                check: "rate_limit",
+                level: "warning",
+                message: `No rate limiting middleware found in ${dir.replace("/routes", "/middleware")}`,
+                fix: "Add express-rate-limit or similar middleware",
+            });
+        }
+        break;
+    }
+    return findings;
+}
+/** Check for open CORS */
+export function checkCors() {
+    const findings = [];
+    const searchFiles = ["src/index.ts", "src/app.ts", "src/server.ts", "node-backend/src/index.ts", "node-backend/src/app.ts"];
+    for (const file of searchFiles) {
+        if (!existsSync(file))
+            continue;
+        const content = readFileSync(file, "utf-8");
+        if (content.includes("origin: '*'") || content.includes('origin: "*"')) {
+            findings.push({ check: "cors", level: "warning", message: `CORS allows all origins (*) in ${file}`, file, fix: "Restrict CORS to your frontend domain" });
+        }
+        if (content.includes("cors()") && !content.includes("origin")) {
+            findings.push({ check: "cors", level: "info", message: `CORS initialized without explicit origin in ${file}`, file, fix: "Set explicit CORS origin" });
+        }
+    }
+    return findings;
+}
+/** Check for routes without auth middleware */
+export function checkAuth() {
+    const findings = [];
+    const routeDirs = ["src/routes", "node-backend/src/routes", "backend/src/routes"];
+    for (const dir of routeDirs) {
+        if (!existsSync(dir))
+            continue;
+        const files = readdirSync(dir).filter(f => f.endsWith(".ts") || f.endsWith(".js"));
+        const authKeywords = ["authenticate", "requirePermission", "authorize", "auth", "requireAuth", "isAuthenticated", "protect"];
+        let unprotectedCount = 0;
+        for (const file of files) {
+            if (file === "auth.ts" || file === "auth.js" || file === "health.ts")
+                continue; // auth routes are public
+            const content = readFileSync(join(dir, file), "utf-8");
+            const hasAuth = authKeywords.some(kw => content.includes(kw));
+            const hasRoutes = /router\.(get|post|put|patch|delete)\s*\(/.test(content);
+            if (hasRoutes && !hasAuth) {
+                findings.push({ check: "auth", level: "warning", message: `No auth middleware detected in ${file}`, file: join(dir, file), fix: "Add authenticate() or requirePermission() middleware" });
+                unprotectedCount++;
+            }
+        }
+        if (unprotectedCount > 0) {
+            findings.push({ check: "auth", level: "info", message: `${unprotectedCount} route files without visible auth middleware`, fix: "Review each route file for proper authentication" });
+        }
+        break;
+    }
+    return findings;
+}
+/** Run all security checks */
+export function runAllChecks(checks) {
+    const allChecks = {
+        secrets: checkSecrets,
+        deps: checkDeps,
+        rate_limit: checkRateLimit,
+        cors: checkCors,
+        auth: checkAuth,
+    };
+    const toRun = checks ?? Object.keys(allChecks);
+    const findings = [];
+    for (const check of toRun) {
+        const fn = allChecks[check];
+        if (fn) {
+            try {
+                findings.push(...fn());
+            }
+            catch {
+                findings.push({ check, level: "info", message: `Check "${check}" failed to run` });
+            }
+        }
+    }
+    return findings;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@prajwolkc/stk",
-  "version": "0.5.1",
+  "version": "0.7.0",
   "description": "One CLI to deploy, monitor, debug, and learn about your entire stack. Infrastructure monitoring, knowledge base brain, deploy watching, and GitHub issues — all from one command.",
   "type": "module",
   "license": "MIT",
@@ -31,6 +31,7 @@
   },
   "files": [
     "dist",
+    "src/data",
     "README.md",
     "LICENSE"
   ],