@rahul-sch/vibeguard 1.0.0

package/dist/fix/engine.d.ts

@@ -0,0 +1,37 @@
+import type { Finding, DetectionRule } from '../rules/types.js';
+import type { Fix, FixResult, FixOptions, ApplyResult } from './types.js';
+/**
+ * Check if a finding is fixable
+ */
+export declare function isFixable(finding: Finding): boolean;
+/**
+ * Get all fixable findings from a list
+ */
+export declare function getFixableFindings(findings: Finding[]): Finding[];
+/**
+ * Generate a fix for a single finding
+ */
+export declare function generateFix(finding: Finding, basePath?: string): FixResult;
+/**
+ * Generate fixes for multiple findings
+ */
+export declare function generateFixes(findings: Finding[], basePath?: string): {
+    finding: Finding;
+    result: FixResult;
+}[];
+/**
+ * Apply fixes to files
+ * Groups fixes by file and applies them
+ */
+export declare function applyAllFixes(fixes: Fix[], options?: FixOptions): ApplyResult[];
+/**
+ * Print diff for a fix
+ */
+export declare function printDiff(fix: Fix): string;
+/**
+ * Get a summary of fixable rules
+ */
+export declare function getFixableRules(): DetectionRule[];
+export { generateUnifiedDiff, previewFix, applyFixes, dryRunFixes } from './patch.js';
+export { getStrategy, strategies } from './strategies.js';
+export type { Fix, FixResult, FixOptions, ApplyResult, FixStrategy } from './types.js';

package/dist/fix/engine.js

@@ -0,0 +1,121 @@
+import { readFileSync } from 'fs';
+import { join, isAbsolute } from 'path';
+import { getStrategy } from './strategies.js';
+import { applyFixes, generateUnifiedDiff } from './patch.js';
+import { allRules, ruleById } from '../rules/index.js';
+/**
+ * Get the rule for a finding
+ */
+function getRuleForFinding(finding) {
+    return ruleById.get(finding.ruleId);
+}
+/**
+ * Check if a finding is fixable
+ */
+export function isFixable(finding) {
+    const rule = getRuleForFinding(finding);
+    return !!(rule?.fixable && rule?.fixStrategy);
+}
+/**
+ * Get all fixable findings from a list
+ */
+export function getFixableFindings(findings) {
+    return findings.filter(isFixable);
+}
+/**
+ * Generate a fix for a single finding
+ */
+export function generateFix(finding, basePath) {
+    const rule = getRuleForFinding(finding);
+    if (!rule?.fixable || !rule?.fixStrategy) {
+        return { success: false, fix: null, error: 'Rule is not fixable' };
+    }
+    const strategy = getStrategy(rule.fixStrategy);
+    if (!strategy) {
+        return { success: false, fix: null, error: `Unknown fix strategy: ${rule.fixStrategy}` };
+    }
+    // Resolve file path
+    const filePath = resolveFilePath(finding.file, basePath);
+    // Read file content
+    let content;
+    try {
+        content = readFileSync(filePath, 'utf-8');
+    }
+    catch (error) {
+        return {
+            success: false,
+            fix: null,
+            error: `Could not read file: ${filePath}`,
+        };
+    }
+    // Check if strategy can fix this finding
+    if (!strategy.canFix(finding, content)) {
+        return { success: false, fix: null, error: 'Strategy cannot fix this specific case' };
+    }
+    // Generate the fix
+    const result = strategy.generateFix(finding, content);
+    // Update file path in fix to be absolute
+    if (result.success && result.fix) {
+        result.fix.file = filePath;
+    }
+    return result;
+}
+/**
+ * Generate fixes for multiple findings
+ */
+export function generateFixes(findings, basePath) {
+    const results = [];
+    for (const finding of findings) {
+        const result = generateFix(finding, basePath);
+        results.push({ finding, result });
+    }
+    return results;
+}
+/**
+ * Apply fixes to files
+ * Groups fixes by file and applies them
+ */
+export function applyAllFixes(fixes, options = {}) {
+    const results = [];
+    // Group fixes by file
+    const byFile = new Map();
+    for (const fix of fixes) {
+        const existing = byFile.get(fix.file) || [];
+        existing.push(fix);
+        byFile.set(fix.file, existing);
+    }
+    // Apply fixes to each file
+    for (const [file, fileFixes] of byFile) {
+        if (options.dryRun) {
+            // Just report what would be done
+            results.push({ file, fixes: fileFixes, applied: false });
+        }
+        else {
+            const result = applyFixes(file, fileFixes);
+            results.push(result);
+        }
+    }
+    return results;
+}
+/**
+ * Print diff for a fix
+ */
+export function printDiff(fix) {
+    return generateUnifiedDiff(fix);
+}
+/**
+ * Get a summary of fixable rules
+ */
+export function getFixableRules() {
+    return allRules.filter(r => r.fixable && r.fixStrategy);
+}
+// Helper function
+function resolveFilePath(file, basePath) {
+    if (isAbsolute(file)) {
+        return file;
+    }
+    return basePath ? join(basePath, file) : file;
+}
+// Re-exports
+export { generateUnifiedDiff, previewFix, applyFixes, dryRunFixes } from './patch.js';
+export { getStrategy, strategies } from './strategies.js';

package/dist/fix/index.d.ts

@@ -0,0 +1,2 @@
+export { isFixable, getFixableFindings, generateFix, generateFixes, applyAllFixes, printDiff, getFixableRules, generateUnifiedDiff, previewFix, applyFixes, dryRunFixes, getStrategy, strategies, } from './engine.js';
+export type { Fix, FixResult, FixOptions, ApplyResult, FixStrategy, } from './types.js';

package/dist/fix/index.js

@@ -0,0 +1,2 @@
+// Fix Engine - Auto-fix security issues
+export { isFixable, getFixableFindings, generateFix, generateFixes, applyAllFixes, printDiff, getFixableRules, generateUnifiedDiff, previewFix, applyFixes, dryRunFixes, getStrategy, strategies, } from './engine.js';

package/dist/fix/patch.d.ts

@@ -0,0 +1,23 @@
+import type { Fix, ApplyResult } from './types.js';
+/**
+ * Generate a unified diff string for a fix
+ */
+export declare function generateUnifiedDiff(fix: Fix, content?: string): string;
+/**
+ * Preview a fix showing before/after
+ */
+export declare function previewFix(fix: Fix): string;
+/**
+ * Apply a single fix to file content
+ * Returns the modified content
+ */
+export declare function applyFixToContent(content: string, fix: Fix): string;
+/**
+ * Apply multiple fixes to a file
+ * Fixes must be sorted by start offset (descending) to avoid offset corruption
+ */
+export declare function applyFixes(filePath: string, fixes: Fix[]): ApplyResult;
+/**
+ * Apply fixes in dry-run mode (returns what would be changed)
+ */
+export declare function dryRunFixes(filePath: string, fixes: Fix[], content: string): string;

package/dist/fix/patch.js

@@ -0,0 +1,94 @@
+import { readFileSync, writeFileSync } from 'fs';
+/**
+ * Generate a unified diff string for a fix
+ */
+export function generateUnifiedDiff(fix, content) {
+    const original = fix.original;
+    const replacement = fix.replacement;
+    // Simple unified diff format
+    const lines = [];
+    lines.push(`--- a/${fix.file}`);
+    lines.push(`+++ b/${fix.file}`);
+    lines.push(`@@ -1,1 +1,1 @@`);
+    // Show original lines with -
+    for (const line of original.split('\n')) {
+        lines.push(`-${line}`);
+    }
+    // Show replacement lines with +
+    for (const line of replacement.split('\n')) {
+        lines.push(`+${line}`);
+    }
+    return lines.join('\n');
+}
+/**
+ * Preview a fix showing before/after
+ */
+export function previewFix(fix) {
+    const lines = [];
+    lines.push(`File: ${fix.file}`);
+    lines.push(`Rule: ${fix.ruleId}`);
+    lines.push(`Description: ${fix.description}`);
+    lines.push('');
+    lines.push('Before:');
+    lines.push(`  ${fix.original}`);
+    lines.push('');
+    lines.push('After:');
+    lines.push(`  ${fix.replacement}`);
+    return lines.join('\n');
+}
+/**
+ * Apply a single fix to file content
+ * Returns the modified content
+ */
+export function applyFixToContent(content, fix) {
+    // Verify the original text is at the expected position
+    const actualText = content.slice(fix.start, fix.end);
+    if (actualText !== fix.original) {
+        throw new Error(`Content mismatch at offset ${fix.start}. ` +
+            `Expected "${fix.original}" but found "${actualText}"`);
+    }
+    // Apply the fix
+    return content.slice(0, fix.start) + fix.replacement + content.slice(fix.end);
+}
+/**
+ * Apply multiple fixes to a file
+ * Fixes must be sorted by start offset (descending) to avoid offset corruption
+ */
+export function applyFixes(filePath, fixes) {
+    if (fixes.length === 0) {
+        return { file: filePath, fixes: [], applied: false };
+    }
+    try {
+        let content = readFileSync(filePath, 'utf-8');
+        // Sort fixes by start offset descending (apply from end to beginning)
+        const sortedFixes = [...fixes].sort((a, b) => b.start - a.start);
+        // Apply each fix
+        for (const fix of sortedFixes) {
+            content = applyFixToContent(content, fix);
+        }
+        // Write the modified content
+        writeFileSync(filePath, content);
+        return { file: filePath, fixes, applied: true };
+    }
+    catch (error) {
+        return {
+            file: filePath,
+            fixes,
+            applied: false,
+            error: error instanceof Error ? error.message : 'Unknown error',
+        };
+    }
+}
+/**
+ * Apply fixes in dry-run mode (returns what would be changed)
+ */
+export function dryRunFixes(filePath, fixes, content) {
+    // Sort fixes by start offset descending
+    const sortedFixes = [...fixes].sort((a, b) => b.start - a.start);
+    // Apply each fix to get the final content
+    let modifiedContent = content;
+    for (const fix of sortedFixes) {
+        modifiedContent = applyFixToContent(modifiedContent, fix);
+    }
+    return modifiedContent;
+}

package/dist/fix/strategies.d.ts

@@ -0,0 +1,21 @@
+import type { FixStrategy } from './types.js';
+/**
+ * Strategy: eval(x) -> JSON.parse(x)
+ * Works for both JS and Python
+ */
+export declare const evalToJsonParse: FixStrategy;
+/**
+ * Strategy: hardcoded secret -> environment variable
+ * Handles both JS (process.env) and Python (os.environ.get)
+ */
+export declare const hardcodedToEnv: FixStrategy;
+/**
+ * Strategy: shell=True -> shell=False
+ */
+export declare const shellTrueToFalse: FixStrategy;
+/**
+ * Strategy: Remove verify=False from requests calls
+ */
+export declare const removeVerifyFalse: FixStrategy;
+export declare const strategies: Map<string, FixStrategy>;
+export declare function getStrategy(name: string): FixStrategy | undefined;

package/dist/fix/strategies.js

@@ -0,0 +1,213 @@
+/**
+ * Strategy: eval(x) -> JSON.parse(x)
+ * Works for both JS and Python
+ */
+export const evalToJsonParse = {
+    name: 'eval-to-json-parse',
+    canFix(finding, content) {
+        // Must have a valid match offset
+        if (finding.matchOffset === undefined)
+            return false;
+        // Must contain eval(
+        return /\beval\s*\(/.test(finding.match);
+    },
+    generateFix(finding, content) {
+        if (finding.matchOffset === undefined) {
+            return { success: false, fix: null, error: 'No match offset available' };
+        }
+        const start = finding.matchOffset;
+        const matchLen = finding.match.length;
+        // Find the full eval(...) call including the closing paren
+        // We need to find the matching closing parenthesis
+        let depth = 0;
+        let endPos = start;
+        let foundOpen = false;
+        for (let i = start; i < content.length; i++) {
+            const char = content[i];
+            if (char === '(') {
+                depth++;
+                foundOpen = true;
+            }
+            else if (char === ')') {
+                depth--;
+                if (foundOpen && depth === 0) {
+                    endPos = i + 1;
+                    break;
+                }
+            }
+        }
+        if (endPos <= start) {
+            return { success: false, fix: null, error: 'Could not find closing parenthesis' };
+        }
+        const original = content.slice(start, endPos);
+        // Extract the argument: eval(arg) -> arg
+        const argMatch = original.match(/\beval\s*\(([\s\S]*)\)$/);
+        if (!argMatch) {
+            return { success: false, fix: null, error: 'Could not parse eval argument' };
+        }
+        const arg = argMatch[1];
+        const replacement = `JSON.parse(${arg})`;
+        return {
+            success: true,
+            fix: {
+                file: finding.file,
+                start,
+                end: endPos,
+                original,
+                replacement,
+                ruleId: finding.ruleId,
+                description: 'Replace eval() with JSON.parse()',
+            },
+        };
+    },
+};
+/**
+ * Strategy: hardcoded secret -> environment variable
+ * Handles both JS (process.env) and Python (os.environ.get)
+ */
+export const hardcodedToEnv = {
+    name: 'hardcoded-to-env',
+    canFix(finding, content) {
+        if (finding.matchOffset === undefined)
+            return false;
+        // Must be an assignment with a string value
+        return /(?:api[_-]?key|secret|password|token|auth[_-]?token|private[_-]?key)\s*[:=]\s*['"][^'"]+['"]/i.test(finding.match);
+    },
+    generateFix(finding, content) {
+        if (finding.matchOffset === undefined) {
+            return { success: false, fix: null, error: 'No match offset available' };
+        }
+        const start = finding.matchOffset;
+        const original = finding.match;
+        const end = start + original.length;
+        // Extract the variable name
+        const varMatch = original.match(/^(\w+)\s*[:=]/);
+        if (!varMatch) {
+            return { success: false, fix: null, error: 'Could not extract variable name' };
+        }
+        const varName = varMatch[1];
+        const envVarName = toScreamingSnakeCase(varName);
+        // Detect language from file extension
+        const isPython = finding.file.endsWith('.py');
+        const isJS = /\.(js|ts|jsx|tsx|mjs|cjs)$/.test(finding.file);
+        let replacement;
+        if (isPython) {
+            // Python: api_key = os.environ.get("API_KEY")
+            replacement = `${varName} = os.environ.get("${envVarName}")`;
+        }
+        else if (isJS) {
+            // JavaScript: const token = process.env.TOKEN
+            // Preserve the declaration keyword if present
+            const declMatch = original.match(/^(const|let|var)\s+/);
+            const prefix = declMatch ? declMatch[1] + ' ' : '';
+            replacement = `${prefix}${varName} = process.env.${envVarName}`;
+        }
+        else {
+            return { success: false, fix: null, error: 'Unsupported file type' };
+        }
+        return {
+            success: true,
+            fix: {
+                file: finding.file,
+                start,
+                end,
+                original,
+                replacement,
+                ruleId: finding.ruleId,
+                description: `Replace hardcoded value with ${isPython ? 'os.environ.get' : 'process.env'}.${envVarName}`,
+            },
+        };
+    },
+};
+/**
+ * Strategy: shell=True -> shell=False
+ */
+export const shellTrueToFalse = {
+    name: 'shell-true-to-false',
+    canFix(finding, content) {
+        if (finding.matchOffset === undefined)
+            return false;
+        return /shell\s*=\s*True/i.test(finding.match);
+    },
+    generateFix(finding, content) {
+        if (finding.matchOffset === undefined) {
+            return { success: false, fix: null, error: 'No match offset available' };
+        }
+        const start = finding.matchOffset;
+        const original = finding.match;
+        const end = start + original.length;
+        // Replace shell=True with shell=False
+        const replacement = original.replace(/shell\s*=\s*True/i, 'shell=False');
+        if (replacement === original) {
+            return { success: false, fix: null, error: 'Could not find shell=True to replace' };
+        }
+        return {
+            success: true,
+            fix: {
+                file: finding.file,
+                start,
+                end,
+                original,
+                replacement,
+                ruleId: finding.ruleId,
+                description: 'Set shell=False (command may need to be split into list)',
+            },
+        };
+    },
+};
+/**
+ * Strategy: Remove verify=False from requests calls
+ */
+export const removeVerifyFalse = {
+    name: 'remove-verify-false',
+    canFix(finding, content) {
+        if (finding.matchOffset === undefined)
+            return false;
+        return /verify\s*=\s*False/i.test(finding.match);
+    },
+    generateFix(finding, content) {
+        if (finding.matchOffset === undefined) {
+            return { success: false, fix: null, error: 'No match offset available' };
+        }
+        const start = finding.matchOffset;
+        const original = finding.match;
+        const end = start + original.length;
+        // Remove verify=False (and any preceding comma+space or following comma+space)
+        let replacement = original.replace(/,\s*verify\s*=\s*False/i, '');
+        if (replacement === original) {
+            replacement = original.replace(/verify\s*=\s*False\s*,?\s*/i, '');
+        }
+        if (replacement === original) {
+            return { success: false, fix: null, error: 'Could not remove verify=False' };
+        }
+        return {
+            success: true,
+            fix: {
+                file: finding.file,
+                start,
+                end,
+                original,
+                replacement,
+                ruleId: finding.ruleId,
+                description: 'Remove verify=False to enable SSL verification',
+            },
+        };
+    },
+};
+// Helper function
+function toScreamingSnakeCase(str) {
+    return str
+        .replace(/([a-z])([A-Z])/g, '$1_$2')
+        .replace(/[-\s]/g, '_')
+        .toUpperCase();
+}
+// Strategy registry
+export const strategies = new Map([
+    ['eval-to-json-parse', evalToJsonParse],
+    ['hardcoded-to-env', hardcodedToEnv],
+    ['shell-true-to-false', shellTrueToFalse],
+    ['remove-verify-false', removeVerifyFalse],
+]);
+export function getStrategy(name) {
+    return strategies.get(name);
+}

package/dist/fix/types.d.ts

@@ -0,0 +1,48 @@
+import type { Finding } from '../rules/types.js';
+/**
+ * Represents a single fix to apply to a file
+ */
+export interface Fix {
+    file: string;
+    start: number;
+    end: number;
+    original: string;
+    replacement: string;
+    ruleId: string;
+    description: string;
+}
+/**
+ * Result of attempting to generate a fix
+ */
+export interface FixResult {
+    success: boolean;
+    fix: Fix | null;
+    error?: string;
+}
+/**
+ * A fix strategy transforms a finding into a fix
+ */
+export interface FixStrategy {
+    name: string;
+    canFix(finding: Finding, content: string): boolean;
+    generateFix(finding: Finding, content: string): FixResult;
+}
+/**
+ * Options for the fix command
+ */
+export interface FixOptions {
+    dryRun?: boolean;
+    yes?: boolean;
+    git?: boolean;
+    basePath?: string;
+    verbose?: boolean;
+}
+/**
+ * Result of applying fixes to a file
+ */
+export interface ApplyResult {
+    file: string;
+    fixes: Fix[];
+    applied: boolean;
+    error?: string;
+}

package/dist/fix/types.js

@@ -0,0 +1 @@
+export {};

package/dist/github/client.d.ts

@@ -0,0 +1,10 @@
+import type { GitHubConfig, PR, PRFile, ReviewInput } from './types.js';
+export declare class GitHubClient {
+    private config;
+    constructor(config: GitHubConfig);
+    private fetch;
+    getPullRequest(prNumber: number): Promise<PR>;
+    getPullRequestFiles(prNumber: number): Promise<PRFile[]>;
+    postComment(issueNumber: number, body: string): Promise<void>;
+    createReview(prNumber: number, review: ReviewInput): Promise<void>;
+}

package/dist/github/client.js

@@ -0,0 +1,43 @@
+export class GitHubClient {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    async fetch(endpoint, options = {}) {
+        const [owner, repo] = this.config.repo.split('/');
+        const url = `https://api.github.com/repos/${owner}/${repo}${endpoint}`;
+        const response = await fetch(url, {
+            ...options,
+            headers: {
+                'Authorization': `Bearer ${this.config.token}`,
+                'Accept': 'application/vnd.github+json',
+                'X-GitHub-Api-Version': '2022-11-28',
+                'Content-Type': 'application/json',
+                ...options.headers,
+            },
+        });
+        if (!response.ok) {
+            const error = await response.text();
+            throw new Error(`GitHub API error: ${response.status} ${response.statusText} - ${error}`);
+        }
+        return response.json();
+    }
+    async getPullRequest(prNumber) {
+        return this.fetch(`/pulls/${prNumber}`);
+    }
+    async getPullRequestFiles(prNumber) {
+        return this.fetch(`/pulls/${prNumber}/files`);
+    }
+    async postComment(issueNumber, body) {
+        await this.fetch(`/issues/${issueNumber}/comments`, {
+            method: 'POST',
+            body: JSON.stringify({ body }),
+        });
+    }
+    async createReview(prNumber, review) {
+        await this.fetch(`/pulls/${prNumber}/reviews`, {
+            method: 'POST',
+            body: JSON.stringify(review),
+        });
+    }
+}

package/dist/github/comment-formatter.d.ts

@@ -0,0 +1,3 @@
+import type { ScanResult, Finding } from '../rules/types.js';
+export declare function formatPRComment(result: ScanResult): string;
+export declare function formatInlineComment(finding: Finding): string;