@prajwolkc/stk 0.6.1 → 0.7.1

package/dist/services/metrics.js

@@ -0,0 +1,78 @@
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+const STK_DIR = join(homedir(), ".stk");
+const METRICS_PATH = join(STK_DIR, "metrics.json");
+const MAX_ENTRIES = 1000;
+function ensureDir() {
+    if (!existsSync(STK_DIR))
+        mkdirSync(STK_DIR, { recursive: true });
+}
+export function loadMetrics() {
+    ensureDir();
+    if (!existsSync(METRICS_PATH))
+        return { version: 1, entries: [] };
+    try {
+        return JSON.parse(readFileSync(METRICS_PATH, "utf-8"));
+    }
+    catch {
+        return { version: 1, entries: [] };
+    }
+}
+export function saveMetrics(store) {
+    ensureDir();
+    writeFileSync(METRICS_PATH, JSON.stringify(store, null, 2));
+}
+export function recordMetric(type, value, metadata = {}) {
+    const store = loadMetrics();
+    store.entries.push({ timestamp: new Date().toISOString(), type, value, metadata });
+    // Evict oldest if over limit
+    if (store.entries.length > MAX_ENTRIES) {
+        store.entries = store.entries.slice(-MAX_ENTRIES);
+    }
+    saveMetrics(store);
+}
+export function getMetrics(type, days = 7, limit = 100) {
+    const store = loadMetrics();
+    const since = new Date(Date.now() - days * 86400000).toISOString();
+    let entries = store.entries.filter(e => e.timestamp >= since);
+    if (type)
+        entries = entries.filter(e => e.type === type);
+    return entries.slice(-limit);
+}
+export function getBaseline(type) {
+    const store = loadMetrics();
+    const ofType = store.entries.filter(e => e.type === type).slice(-10);
+    if (ofType.length === 0)
+        return 0;
+    return ofType.reduce((sum, e) => sum + e.value, 0) / ofType.length;
+}
+export function compareToBaseline(type) {
+    const store = loadMetrics();
+    const ofType = store.entries.filter(e => e.type === type);
+    if (ofType.length < 2)
+        return { current: 0, baseline: 0, changePct: 0, status: "stable" };
+    const recent = ofType.slice(-3);
+    const older = ofType.slice(-13, -3);
+    const current = recent.reduce((s, e) => s + e.value, 0) / recent.length;
+    const baseline = older.length > 0 ? older.reduce((s, e) => s + e.value, 0) / older.length : current;
+    const changePct = baseline === 0 ? 0 : Math.round(((current - baseline) / baseline) * 100);
+    const status = changePct > 20 ? "degraded" : changePct < -20 ? "improved" : "stable";
+    return { current: Math.round(current * 100) / 100, baseline: Math.round(baseline * 100) / 100, changePct, status };
+}
+export function getDeployFrequency(days = 7) {
+    const entries = getMetrics("deploy", days, 1000);
+    const perDay = days > 0 ? Math.round((entries.length / days) * 10) / 10 : 0;
+    return { total: entries.length, perDay };
+}
+export function getErrorRate(days = 7) {
+    const entries = getMetrics("error", days, 1000);
+    const perDay = days > 0 ? Math.round((entries.length / days) * 10) / 10 : 0;
+    return { total: entries.length, perDay };
+}
+export function getUptime(days = 7) {
+    const entries = getMetrics("health_check", days, 1000);
+    const healthy = entries.filter(e => e.value > 0).length;
+    const pct = entries.length > 0 ? Math.round((healthy / entries.length) * 1000) / 10 : 100;
+    return { checks: entries.length, healthy, pct };
+}

package/dist/services/security.d.ts

@@ -0,0 +1,19 @@
+export interface SecurityFinding {
+    check: string;
+    level: "critical" | "warning" | "info";
+    message: string;
+    file?: string;
+    fix?: string;
+}
+/** Check for exposed secrets in .env files */
+export declare function checkSecrets(): SecurityFinding[];
+/** Check for outdated/vulnerable dependencies */
+export declare function checkDeps(): SecurityFinding[];
+/** Check for missing rate limiting */
+export declare function checkRateLimit(): SecurityFinding[];
+/** Check for open CORS */
+export declare function checkCors(): SecurityFinding[];
+/** Check for routes without auth middleware */
+export declare function checkAuth(): SecurityFinding[];
+/** Run all security checks */
+export declare function runAllChecks(checks?: string[]): SecurityFinding[];

package/dist/services/security.js

@@ -0,0 +1,194 @@
+import { readFileSync, existsSync, readdirSync } from "fs";
+import { execSync } from "child_process";
+import { resolve, join } from "path";
+/** Check for exposed secrets in .env files */
+export function checkSecrets() {
+    const findings = [];
+    const envFiles = [".env", ".env.local", ".env.production", ".env.staging"];
+    // Check if .gitignore exists and covers env files
+    let gitignoreContent = "";
+    if (existsSync(".gitignore")) {
+        gitignoreContent = readFileSync(".gitignore", "utf-8");
+    }
+    for (const file of envFiles) {
+        if (!existsSync(file))
+            continue;
+        if (!gitignoreContent.includes(file) && !gitignoreContent.includes(".env*") && !gitignoreContent.includes(".env")) {
+            findings.push({
+                check: "secrets",
+                level: "critical",
+                message: `${file} is NOT in .gitignore — secrets may be committed`,
+                file,
+                fix: `Add "${file}" to .gitignore`,
+            });
+        }
+        const content = readFileSync(file, "utf-8");
+        const lines = content.split("\n");
+        for (const line of lines) {
+            const [key, ...rest] = line.split("=");
+            const value = rest.join("=").trim();
+            if (!key || !value || key.startsWith("#"))
+                continue;
+            // Check for known secret patterns
+            if (value.startsWith("AKIA") && key.includes("AWS")) {
+                findings.push({ check: "secrets", level: "critical", message: `AWS access key found in ${file}`, file, fix: "Use environment variables or secrets manager" });
+            }
+            if (value.startsWith("sk_live_")) {
+                findings.push({ check: "secrets", level: "critical", message: `Live Stripe secret key in ${file}`, file, fix: "Use sk_test_ for development" });
+            }
+            if (key.includes("JWT_SECRET") && value.length < 32) {
+                findings.push({ check: "secrets", level: "warning", message: `JWT_SECRET is short (${value.length} chars) — use at least 32`, file, fix: "Generate a longer secret: openssl rand -hex 32" });
+            }
+        }
+    }
+    return findings;
+}
+/** Check for outdated/vulnerable dependencies */
+export function checkDeps() {
+    const findings = [];
+    const pkgPaths = ["package.json", "node-backend/package.json", "frontend/package.json", "backend/package.json"];
+    for (const pkg of pkgPaths) {
+        if (!existsSync(pkg))
+            continue;
+        const dir = pkg === "package.json" ? "." : pkg.replace("/package.json", "");
+        try {
+            const result = execSync(`npm audit --json 2>/dev/null`, { cwd: resolve(dir), encoding: "utf-8", timeout: 30000 });
+            const audit = JSON.parse(result);
+            const vulns = audit.metadata?.vulnerabilities ?? {};
+            const critical = vulns.critical ?? 0;
+            const high = vulns.high ?? 0;
+            const moderate = vulns.moderate ?? 0;
+            if (critical > 0) {
+                findings.push({ check: "deps", level: "critical", message: `${critical} critical vulnerabilities in ${dir}`, file: pkg, fix: "Run: npm audit fix" });
+            }
+            if (high > 0) {
+                findings.push({ check: "deps", level: "warning", message: `${high} high vulnerabilities in ${dir}`, file: pkg, fix: "Run: npm audit fix" });
+            }
+            if (moderate > 0) {
+                findings.push({ check: "deps", level: "info", message: `${moderate} moderate vulnerabilities in ${dir}`, file: pkg });
+            }
+        }
+        catch {
+            // npm audit returns non-zero when vulns found
+            try {
+                const stderr = execSync(`npm audit --json 2>&1 || true`, { cwd: resolve(dir), encoding: "utf-8", timeout: 30000 });
+                const audit = JSON.parse(stderr);
+                const vulns = audit.metadata?.vulnerabilities ?? {};
+                if ((vulns.critical ?? 0) > 0) {
+                    findings.push({ check: "deps", level: "critical", message: `${vulns.critical} critical vulnerabilities in ${dir}`, file: pkg });
+                }
+                if ((vulns.high ?? 0) > 0) {
+                    findings.push({ check: "deps", level: "warning", message: `${vulns.high} high vulnerabilities in ${dir}`, file: pkg });
+                }
+            }
+            catch { /* skip */ }
+        }
+    }
+    return findings;
+}
+/** Check for missing rate limiting */
+export function checkRateLimit() {
+    const findings = [];
+    const routeDirs = ["src/routes", "node-backend/src/routes", "backend/src/routes", "api/src/routes"];
+    for (const dir of routeDirs) {
+        if (!existsSync(dir))
+            continue;
+        // Check if rate limiter middleware exists
+        const middlewareDirs = [
+            dir.replace("/routes", "/middleware"),
+            dir.replace("/routes", "/middlewares"),
+        ];
+        let hasRateLimit = false;
+        for (const mDir of middlewareDirs) {
+            if (!existsSync(mDir))
+                continue;
+            const files = readdirSync(mDir);
+            for (const f of files) {
+                const content = readFileSync(join(mDir, f), "utf-8");
+                if (content.includes("rate") && content.includes("limit")) {
+                    hasRateLimit = true;
+                    break;
+                }
+            }
+        }
+        if (!hasRateLimit) {
+            findings.push({
+                check: "rate_limit",
+                level: "warning",
+                message: `No rate limiting middleware found in ${dir.replace("/routes", "/middleware")}`,
+                fix: "Add express-rate-limit or similar middleware",
+            });
+        }
+        break;
+    }
+    return findings;
+}
+/** Check for open CORS */
+export function checkCors() {
+    const findings = [];
+    const searchFiles = ["src/index.ts", "src/app.ts", "src/server.ts", "node-backend/src/index.ts", "node-backend/src/app.ts"];
+    for (const file of searchFiles) {
+        if (!existsSync(file))
+            continue;
+        const content = readFileSync(file, "utf-8");
+        if (content.includes("origin: '*'") || content.includes('origin: "*"')) {
+            findings.push({ check: "cors", level: "warning", message: `CORS allows all origins (*) in ${file}`, file, fix: "Restrict CORS to your frontend domain" });
+        }
+        if (content.includes("cors()") && !content.includes("origin")) {
+            findings.push({ check: "cors", level: "info", message: `CORS initialized without explicit origin in ${file}`, file, fix: "Set explicit CORS origin" });
+        }
+    }
+    return findings;
+}
+/** Check for routes without auth middleware */
+export function checkAuth() {
+    const findings = [];
+    const routeDirs = ["src/routes", "node-backend/src/routes", "backend/src/routes"];
+    for (const dir of routeDirs) {
+        if (!existsSync(dir))
+            continue;
+        const files = readdirSync(dir).filter(f => f.endsWith(".ts") || f.endsWith(".js"));
+        const authKeywords = ["authenticate", "requirePermission", "authorize", "auth", "requireAuth", "isAuthenticated", "protect"];
+        let unprotectedCount = 0;
+        for (const file of files) {
+            if (file === "auth.ts" || file === "auth.js" || file === "health.ts")
+                continue; // auth routes are public
+            const content = readFileSync(join(dir, file), "utf-8");
+            const hasAuth = authKeywords.some(kw => content.includes(kw));
+            const hasRoutes = /router\.(get|post|put|patch|delete)\s*\(/.test(content);
+            if (hasRoutes && !hasAuth) {
+                findings.push({ check: "auth", level: "warning", message: `No auth middleware detected in ${file}`, file: join(dir, file), fix: "Add authenticate() or requirePermission() middleware" });
+                unprotectedCount++;
+            }
+        }
+        if (unprotectedCount > 0) {
+            findings.push({ check: "auth", level: "info", message: `${unprotectedCount} route files without visible auth middleware`, fix: "Review each route file for proper authentication" });
+        }
+        break;
+    }
+    return findings;
+}
+/** Run all security checks */
+export function runAllChecks(checks) {
+    const allChecks = {
+        secrets: checkSecrets,
+        deps: checkDeps,
+        rate_limit: checkRateLimit,
+        cors: checkCors,
+        auth: checkAuth,
+    };
+    const toRun = checks ?? Object.keys(allChecks);
+    const findings = [];
+    for (const check of toRun) {
+        const fn = allChecks[check];
+        if (fn) {
+            try {
+                findings.push(...fn());
+            }
+            catch {
+                findings.push({ check, level: "info", message: `Check "${check}" failed to run` });
+            }
+        }
+    }
+    return findings;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@prajwolkc/stk",
-  "version": "0.6.1",
+  "version": "0.7.1",
   "description": "One CLI to deploy, monitor, debug, and learn about your entire stack. Infrastructure monitoring, knowledge base brain, deploy watching, and GitHub issues — all from one command.",
   "type": "module",
   "license": "MIT",
@@ -31,6 +31,7 @@
   },
   "files": [
     "dist",
+    "src/data",
     "README.md",
     "LICENSE"
   ],