@qodfy/core 0.1.2 → 0.1.4

package/dist/index.d.ts

@@ -16,6 +16,7 @@ type ScanReport = {
         apiRoutes: number;
         aiFiles: number;
         largeFiles: number;
+        durationMs: number;
     };
 };
 declare function scanProject(projectPath: string): Promise<ScanReport>;

package/dist/index.js

@@ -9,7 +9,27 @@ var ignoredPaths = [
   "dist/**",
   "build/**",
   ".turbo/**",
-  ".vercel/**"
+  ".vercel/**",
+  "coverage/**",
+  "**/coverage/**",
+  ".cache/**",
+  "**/.cache/**",
+  ".output/**",
+  "**/.output/**",
+  ".open-next/**",
+  "**/.open-next/**",
+  "storybook-static/**",
+  "**/storybook-static/**",
+  "playwright-report/**",
+  "**/playwright-report/**",
+  "test-results/**",
+  "**/test-results/**",
+  "**/*.d.ts",
+  "**/*.map",
+  "generated/**",
+  "**/generated/**",
+  "__generated__/**",
+  "**/__generated__/**"
 ];
 var aiKeywords = [
   "openai",
@@ -21,7 +41,44 @@ var aiKeywords = [
   "streamText",
   "useChat"
 ];
+var hardcodedSecretPatterns = [
+  {
+    label: "OpenAI API key",
+    pattern: /\bsk-(?:proj-)?[A-Za-z0-9_-]{20,}\b/g
+  },
+  {
+    label: "Stripe secret key",
+    pattern: /\b(?:sk|rk)_(?:live|test)_[A-Za-z0-9]{16,}\b/g
+  },
+  {
+    label: "Stripe webhook secret",
+    pattern: /\bwhsec_[A-Za-z0-9]{16,}\b/g
+  },
+  {
+    label: "GitHub token",
+    pattern: /\b(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{30,}\b/g
+  },
+  {
+    label: "GitHub fine-grained token",
+    pattern: /\bgithub_pat_[A-Za-z0-9_]{40,}\b/g
+  },
+  {
+    label: "Google API key",
+    pattern: /\bAIza[A-Za-z0-9_-]{20,}\b/g
+  },
+  {
+    label: "Slack token",
+    pattern: /\bxox[baprs]-[A-Za-z0-9-]{20,}\b/g
+  },
+  {
+    label: "private key",
+    pattern: /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/g
+  }
+];
+var LARGE_FILE_WARNING_BYTES = 15e3;
+var MAX_FILE_SIZE_BYTES = 500 * 1024;
 async function scanProject(projectPath) {
+  const startTime = Date.now();
   const resolvedProjectPath = path.resolve(projectPath);
   const issues = [];
   const packageJsonPath = path.join(resolvedProjectPath, "package.json");
@@ -102,17 +159,38 @@ async function scanProject(projectPath) {
   }
   const files = await getSourceFiles(resolvedProjectPath, issues);
   const apiRoutes = files.filter((file) => {
-    return file.includes(`${path.sep}app${path.sep}api${path.sep}`) || file.includes(`${path.sep}pages${path.sep}api${path.sep}`);
+    return isApiRoute(file);
   });
   const apiRouteSet = new Set(apiRoutes);
-  const readableFiles = /* @__PURE__ */ new Map();
   const envExampleWarningKeys = /* @__PURE__ */ new Set();
   const clientSecretWarningKeys = /* @__PURE__ */ new Set();
+  const hardcodedSecretWarningKeys = /* @__PURE__ */ new Set();
   let aiFiles = 0;
   let largeFiles = 0;
   for (const file of files) {
-    const fileResult = await safeReadFile(file);
     const relativeFile = normalizePath(path.relative(resolvedProjectPath, file));
+    const statResult = await safeStatFile(file);
+    if (!statResult.ok) {
+      issues.push({
+        severity: "info",
+        title: "File could not be checked",
+        message: statResult.reason,
+        file: relativeFile
+      });
+      continue;
+    }
+    if (statResult.size > MAX_FILE_SIZE_BYTES) {
+      largeFiles++;
+      issues.push({
+        severity: "info",
+        title: "Large file skipped from deep scan",
+        message: "This file is larger than 500KB and was skipped from deep content checks.",
+        file: relativeFile,
+        suggestion: "Review large generated or bundled files manually."
+      });
+      continue;
+    }
+    const fileResult = await safeReadFile(file);
     if (!fileResult.ok) {
       issues.push({
         severity: "info",
@@ -123,8 +201,7 @@ async function scanProject(projectPath) {
       continue;
     }
     const content = fileResult.content;
-    readableFiles.set(file, content);
-    if (content.length > 15e3) {
+    if (statResult.size > LARGE_FILE_WARNING_BYTES) {
       largeFiles++;
       issues.push({
         severity: "info",
@@ -150,6 +227,43 @@ async function scanProject(projectPath) {
         });
       }
     }
+    const isStripeWebhook = isStripeWebhookRoute(relativeFile, content);
+    const hasStripeSignatureVerification = hasStripeWebhookSignatureVerification(content);
+    if (isStripeWebhook && !hasStripeSignatureVerification) {
+      issues.push({
+        severity: "critical",
+        title: "Stripe webhook may be missing signature verification",
+        message: "This Stripe webhook route does not appear to verify the Stripe signature before handling the event.",
+        file: relativeFile,
+        suggestion: "Use stripe.webhooks.constructEvent with the raw request body, Stripe-Signature header, and STRIPE_WEBHOOK_SECRET."
+      });
+    }
+    for (const secretMatch of getHardcodedSecretMatches(content)) {
+      const warningKey = `${relativeFile}:${secretMatch.label}`;
+      if (hardcodedSecretWarningKeys.has(warningKey)) {
+        continue;
+      }
+      hardcodedSecretWarningKeys.add(warningKey);
+      issues.push({
+        severity: "critical",
+        title: "Possible hardcoded secret",
+        message: `A string literal in ${relativeFile} matches the pattern for ${secretMatch.label}. Qodfy does not print possible secret values.`,
+        file: relativeFile,
+        suggestion: "Move secrets into environment variables and rotate the value if this is a real secret."
+      });
+    }
+    if (apiRouteSet.has(file)) {
+      const hasAuth = content.includes("auth(") || content.includes("getServerSession") || content.includes("currentUser") || content.includes("clerkClient") || content.includes("session");
+      if (!hasAuth && !isStripeWebhook) {
+        issues.push({
+          severity: "warning",
+          title: "API route may be missing authentication",
+          message: "This API route does not appear to contain an auth/session check.",
+          file: relativeFile,
+          suggestion: "Confirm the route is public, or add an auth/session check before handling user data."
+        });
+      }
+    }
     const usedEnvVariables = getUsedEnvVariables(content);
     if (envExampleVariables) {
       for (const variableName of usedEnvVariables) {
@@ -188,23 +302,6 @@ async function scanProject(projectPath) {
       }
     }
   }
-  for (const route of apiRoutes) {
-    const content = readableFiles.get(route);
-    if (!content) {
-      continue;
-    }
-    const relativeFile = normalizePath(path.relative(resolvedProjectPath, route));
-    const hasAuth = content.includes("auth(") || content.includes("getServerSession") || content.includes("currentUser") || content.includes("clerkClient") || content.includes("session");
-    if (!hasAuth) {
-      issues.push({
-        severity: "warning",
-        title: "API route may be missing authentication",
-        message: "This API route does not appear to contain an auth/session check.",
-        file: relativeFile,
-        suggestion: "Confirm the route is public, or add an auth/session check before handling user data."
-      });
-    }
-  }
   const criticalCount = issues.filter((issue) => issue.severity === "critical").length;
   const warningCount = issues.filter((issue) => issue.severity === "warning").length;
   const score = Math.max(0, 100 - criticalCount * 20 - warningCount * 8);
@@ -217,7 +314,8 @@ async function scanProject(projectPath) {
       totalFiles: files.length,
       apiRoutes: apiRoutes.length,
       aiFiles,
-      largeFiles
+      largeFiles,
+      durationMs: Date.now() - startTime
     }
   };
 }
@@ -258,6 +356,36 @@ async function safeReadFile(filePath) {
     };
   }
 }
+async function safeStatFile(filePath) {
+  try {
+    const stats = await fs.stat(filePath);
+    return {
+      ok: true,
+      size: stats.size
+    };
+  } catch (error) {
+    const code = getErrorCode(error);
+    if (code === "ENOENT") {
+      return {
+        ok: false,
+        code,
+        reason: "The file disappeared while Qodfy was scanning it."
+      };
+    }
+    if (code === "EACCES" || code === "EPERM") {
+      return {
+        ok: false,
+        code,
+        reason: "Qodfy does not have permission to check this file."
+      };
+    }
+    return {
+      ok: false,
+      code,
+      reason: "Qodfy could not check this file."
+    };
+  }
+}
 async function safeReadJson(filePath) {
   const fileResult = await safeReadFile(filePath);
   if (!fileResult.ok) {
@@ -312,18 +440,55 @@ function getUsedEnvVariables(content) {
   const variables = /* @__PURE__ */ new Set();
   const dotAccessPattern = /\bprocess\.env\.([A-Za-z_][A-Za-z0-9_]*)/g;
   const bracketAccessPattern = /\bprocess\.env\[['"`]([A-Za-z_][A-Za-z0-9_]*)['"`]\]/g;
+  const destructuredEnvPattern = /\b(?:const|let|var)\s*\{([^}]+)\}\s*=\s*process\.env\b/g;
   for (const match of content.matchAll(dotAccessPattern)) {
     variables.add(match[1]);
   }
   for (const match of content.matchAll(bracketAccessPattern)) {
     variables.add(match[1]);
   }
+  for (const match of content.matchAll(destructuredEnvPattern)) {
+    for (const variableName of parseDestructuredEnvNames(match[1])) {
+      variables.add(variableName);
+    }
+  }
   return variables;
 }
+function parseDestructuredEnvNames(destructuredContent) {
+  const variables = [];
+  for (const part of destructuredContent.split(",")) {
+    const variableName = part.trim().split(":")[0].split("=")[0].trim();
+    if (/^[A-Za-z_][A-Za-z0-9_]*$/.test(variableName)) {
+      variables.push(variableName);
+    }
+  }
+  return variables;
+}
+function getHardcodedSecretMatches(content) {
+  const matches = [];
+  for (const secretPattern of hardcodedSecretPatterns) {
+    secretPattern.pattern.lastIndex = 0;
+    if (secretPattern.pattern.test(content)) {
+      matches.push({ label: secretPattern.label });
+    }
+  }
+  return matches;
+}
 function isClientSideFile(relativeFile, content) {
   const fileName = path.basename(relativeFile);
   return fileName.includes(".client.") || /(^|\n)\s*["']use client["'];?/.test(content);
 }
+function isApiRoute(filePath) {
+  return filePath.includes(`${path.sep}app${path.sep}api${path.sep}`) || filePath.includes(`${path.sep}pages${path.sep}api${path.sep}`);
+}
+function isStripeWebhookRoute(relativeFile, content) {
+  const normalizedFile = relativeFile.toLowerCase();
+  const normalizedContent = content.toLowerCase();
+  return normalizedContent.includes("stripe") && (normalizedFile.includes("webhook") || normalizedContent.includes("webhook") || normalizedContent.includes("stripe.webhooks"));
+}
+function hasStripeWebhookSignatureVerification(content) {
+  return content.includes("stripe.webhooks.constructEvent") || content.includes("webhooks.constructEvent") || content.includes("constructEvent(");
+}
 function isPackageJsonObject(data) {
   return typeof data === "object" && data !== null && !Array.isArray(data);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@qodfy/core",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "description": "Scanner engine for Qodfy, an open-source launch readiness scanner for AI-built apps.",
   "keywords": [
     "qodfy",