@rigour-labs/cli 3.0.4 → 3.0.6

package/dist/commands/scan.js

@@ -0,0 +1,279 @@
+import fs from 'fs-extra';
+import path from 'path';
+import chalk from 'chalk';
+import yaml from 'yaml';
+import { globby } from 'globby';
+import { GateRunner, ConfigSchema, DiscoveryService, FixPacketService, recordScore, getScoreTrend, } from '@rigour-labs/core';
+// Exit codes per spec
+const EXIT_PASS = 0;
+const EXIT_FAIL = 1;
+const EXIT_CONFIG_ERROR = 2;
+const EXIT_INTERNAL_ERROR = 3;
+const LANGUAGE_PATTERNS = {
+    'TypeScript': ['**/*.ts', '**/*.tsx'],
+    'JavaScript': ['**/*.js', '**/*.jsx', '**/*.mjs', '**/*.cjs'],
+    'Python': ['**/*.py'],
+    'Go': ['**/*.go'],
+    'Java': ['**/*.java'],
+    'Kotlin': ['**/*.kt'],
+    'C#': ['**/*.cs'],
+    'Ruby': ['**/*.rb', '**/*.rake'],
+    'Rust': ['**/*.rs'],
+};
+const COMMON_IGNORE = [
+    '**/node_modules/**',
+    '**/.git/**',
+    '**/dist/**',
+    '**/build/**',
+    '**/.next/**',
+    '**/coverage/**',
+    '**/vendor/**',
+    '**/.venv/**',
+    '**/venv/**',
+    '**/target/**',
+    '**/.terraform/**',
+    '**/*.min.js',
+];
+const HEADLINE_GATE_SUPPORT = {
+    'hallucinated-imports': ['TypeScript', 'JavaScript', 'Python', 'Go', 'Ruby', 'C#', 'Rust', 'Java', 'Kotlin'],
+    'phantom-apis': ['TypeScript', 'JavaScript', 'Python', 'Go', 'C#', 'Java', 'Kotlin'],
+    'deprecated-apis': ['TypeScript', 'JavaScript', 'Python', 'Go', 'C#', 'Java', 'Kotlin'],
+    'promise-safety': ['TypeScript', 'JavaScript', 'Python', 'Go', 'Ruby', 'C#'],
+    'security-patterns': ['TypeScript', 'JavaScript', 'Python', 'Go', 'Java', 'Kotlin'],
+    'duplication-drift': ['TypeScript', 'JavaScript', 'Python'],
+    'inconsistent-error-handling': ['TypeScript', 'JavaScript'],
+    'context-window-artifacts': ['TypeScript', 'JavaScript', 'Python'],
+};
+export async function scanCommand(cwd, files = [], options = {}) {
+    try {
+        const scanCtx = await resolveScanConfig(cwd, options);
+        const stackSignals = await detectStackSignals(cwd);
+        if (!options.ci && !options.json) {
+            renderScanHeader(scanCtx, stackSignals);
+        }
+        const runner = new GateRunner(scanCtx.config);
+        const report = await runner.run(cwd, files.length > 0 ? files : undefined);
+        // Write machine report and score history
+        const reportPath = path.join(cwd, scanCtx.config.output.report_path);
+        await fs.writeJson(reportPath, report, { spaces: 2 });
+        recordScore(cwd, report);
+        // Generate fix packet on failure
+        if (report.status === 'FAIL') {
+            const fixPacketService = new FixPacketService();
+            const fixPacket = fixPacketService.generate(report, scanCtx.config);
+            const fixPacketPath = path.join(cwd, 'rigour-fix-packet.json');
+            await fs.writeJson(fixPacketPath, fixPacket, { spaces: 2 });
+        }
+        if (options.json) {
+            process.stdout.write(JSON.stringify({
+                mode: scanCtx.mode,
+                preset: scanCtx.detectedPreset ?? scanCtx.config.preset,
+                paradigm: scanCtx.detectedParadigm ?? scanCtx.config.paradigm,
+                stack: stackSignals,
+                report,
+            }, null, 2) + '\n');
+            process.exit(report.status === 'PASS' ? EXIT_PASS : EXIT_FAIL);
+        }
+        if (options.ci) {
+            const score = report.stats.score ?? 0;
+            if (report.status === 'PASS') {
+                console.log(`PASS (${score}/100)`);
+            }
+            else {
+                console.log(`FAIL: ${report.failures.length} violation(s) | Score: ${score}/100`);
+            }
+            process.exit(report.status === 'PASS' ? EXIT_PASS : EXIT_FAIL);
+        }
+        renderScanResults(report, stackSignals, scanCtx.config.output.report_path, cwd);
+        process.exit(report.status === 'PASS' ? EXIT_PASS : EXIT_FAIL);
+    }
+    catch (error) {
+        if (error.name === 'ZodError') {
+            console.error(chalk.red('\nInvalid configuration for scan mode:'));
+            error.issues.forEach((issue) => {
+                console.error(chalk.red(`  • ${issue.path.join('.')}: ${issue.message}`));
+            });
+            process.exit(EXIT_CONFIG_ERROR);
+        }
+        console.error(chalk.red(`Internal error: ${error.message}`));
+        process.exit(EXIT_INTERNAL_ERROR);
+    }
+}
+async function resolveScanConfig(cwd, options) {
+    const explicitConfig = options.config ? path.resolve(cwd, options.config) : undefined;
+    const defaultConfig = path.join(cwd, 'rigour.yml');
+    const configPath = explicitConfig || defaultConfig;
+    if (await fs.pathExists(configPath)) {
+        const configContent = await fs.readFile(configPath, 'utf-8');
+        const rawConfig = yaml.parse(configContent);
+        const config = ConfigSchema.parse(rawConfig);
+        return {
+            mode: 'existing-config',
+            config,
+            configPath,
+            detectedPreset: config.preset,
+            detectedParadigm: config.paradigm,
+        };
+    }
+    const discovery = new DiscoveryService();
+    const discovered = await discovery.discover(cwd);
+    return {
+        mode: 'auto-discovered',
+        config: ConfigSchema.parse(discovered.config),
+        detectedPreset: discovered.matches.preset?.name,
+        detectedParadigm: discovered.matches.paradigm?.name,
+    };
+}
+async function detectStackSignals(cwd) {
+    const languageChecks = await Promise.all(Object.entries(LANGUAGE_PATTERNS).map(async ([language, patterns]) => {
+        const matches = await globby(patterns, { cwd, gitignore: true, ignore: COMMON_IGNORE });
+        return { language, found: matches.length > 0 };
+    }));
+    const languages = languageChecks.filter(item => item.found).map(item => item.language);
+    const [dockerMatches, terraformMatches, sqlMatches] = await Promise.all([
+        globby(['**/Dockerfile', '**/docker-compose*.yml', '**/*.dockerfile'], { cwd, gitignore: true, ignore: COMMON_IGNORE }),
+        globby(['**/*.tf', '**/*.tfvars', '**/*.hcl'], { cwd, gitignore: true, ignore: COMMON_IGNORE }),
+        globby(['**/*.sql'], { cwd, gitignore: true, ignore: COMMON_IGNORE }),
+    ]);
+    return {
+        languages,
+        hasDocker: dockerMatches.length > 0,
+        hasTerraform: terraformMatches.length > 0,
+        hasSql: sqlMatches.length > 0,
+    };
+}
+function renderScanHeader(scanCtx, stackSignals) {
+    console.log(chalk.bold.cyan('\nRigour Scan'));
+    console.log(chalk.dim('Zero-config security and AI-drift sweep using existing Rigour gates.\n'));
+    const modeLabel = scanCtx.mode === 'existing-config'
+        ? `Using existing config: ${path.basename(scanCtx.configPath || 'rigour.yml')}`
+        : 'Auto-discovered config (no rigour.yml required)';
+    const preset = scanCtx.detectedPreset || scanCtx.config.preset || 'universal';
+    const paradigm = scanCtx.detectedParadigm || scanCtx.config.paradigm || 'general';
+    console.log(chalk.bold(`Mode:`) + ` ${modeLabel}`);
+    console.log(chalk.bold(`Detected profile:`) + ` preset=${preset}, paradigm=${paradigm}`);
+    console.log(chalk.bold(`Detected stack:`) + ` ${stackSignals.languages.join(', ') || 'No major language signatures detected'}`);
+    console.log('');
+}
+function renderScanResults(report, stackSignals, reportPath, cwd) {
+    const fakePackages = extractHallucinatedImports(report.failures);
+    const criticalSecrets = report.failures.filter(f => f.id === 'security-patterns' && f.severity === 'critical');
+    const phantomApis = report.failures.filter(f => f.id === 'phantom-apis');
+    const ignoredErrors = report.failures.filter(f => f.id === 'promise-safety' && (f.severity === 'high' || f.severity === 'critical'));
+    // --- Scary headlines for the worst findings ---
+    let scaryHeadlines = 0;
+    if (criticalSecrets.length > 0) {
+        console.log(chalk.red.bold(`🔑 HARDCODED SECRETS: ${criticalSecrets.length} credential(s) exposed in plain text`));
+        const firstFile = criticalSecrets[0].files?.[0];
+        if (firstFile)
+            console.log(chalk.dim(`   First hit: ${firstFile}`));
+        scaryHeadlines++;
+    }
+    if (fakePackages.length > 0) {
+        const unique = [...new Set(fakePackages)];
+        console.log(chalk.red.bold(`📦 HALLUCINATED PACKAGES: ${unique.length} import(s) don't exist — will crash at runtime`));
+        console.log(chalk.dim(`   Examples: ${unique.slice(0, 4).join(', ')}${unique.length > 4 ? `, +${unique.length - 4} more` : ''}`));
+        scaryHeadlines++;
+    }
+    if (phantomApis.length > 0) {
+        console.log(chalk.red.bold(`👻 PHANTOM APIs: ${phantomApis.length} call(s) to methods that don't exist in stdlib`));
+        scaryHeadlines++;
+    }
+    if (ignoredErrors.length > 0) {
+        console.log(chalk.yellow.bold(`🔇 SILENT FAILURES: ${ignoredErrors.length} async error(s) swallowed — failures will vanish without a trace`));
+        scaryHeadlines++;
+    }
+    if (scaryHeadlines > 0)
+        console.log('');
+    const statusColor = report.status === 'PASS' ? chalk.green.bold : chalk.red.bold;
+    const statusLabel = report.status === 'PASS' ? 'PASS' : 'FAIL';
+    const score = report.stats.score ?? 0;
+    const aiHealth = report.stats.ai_health_score ?? 0;
+    const structural = report.stats.structural_score ?? 0;
+    console.log(statusColor(`${statusLabel} | Score ${score}/100 | AI Health ${aiHealth}/100 | Structural ${structural}/100`));
+    const severity = report.stats.severity_breakdown || {};
+    const sevParts = ['critical', 'high', 'medium', 'low', 'info']
+        .filter(level => (severity[level] || 0) > 0)
+        .map(level => `${level}: ${severity[level]}`);
+    if (sevParts.length > 0) {
+        console.log(`Severity: ${sevParts.join(', ')}`);
+    }
+    renderCoverageWarnings(stackSignals);
+    console.log('');
+    if (report.status === 'FAIL') {
+        // Sort by severity so critical findings appear first
+        const SEVERITY_ORDER = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+        const sorted = [...report.failures].sort((a, b) => (SEVERITY_ORDER[a.severity ?? 'medium'] ?? 2) - (SEVERITY_ORDER[b.severity ?? 'medium'] ?? 2));
+        const topFindings = sorted.slice(0, 8);
+        for (const failure of topFindings) {
+            const sev = failure.severity ?? 'medium';
+            const sevColor = sev === 'critical' ? chalk.red.bold
+                : sev === 'high' ? chalk.yellow.bold
+                    : sev === 'medium' ? chalk.white
+                        : chalk.dim;
+            console.log(sevColor(`${sev.toUpperCase().padEnd(8)} [${failure.id}] ${failure.title}`));
+            if (failure.files && failure.files.length > 0) {
+                console.log(chalk.dim(`         ${failure.files.slice(0, 2).join(', ')}`));
+            }
+        }
+        if (report.failures.length > topFindings.length) {
+            console.log(chalk.dim(`\n...and ${report.failures.length - topFindings.length} more. See full report.`));
+        }
+    }
+    const trend = getScoreTrend(cwd);
+    if (trend && trend.recentScores.length >= 3) {
+        const arrow = trend.direction === 'improving' ? '↑' : trend.direction === 'degrading' ? '↓' : '→';
+        const color = trend.direction === 'improving' ? chalk.green : trend.direction === 'degrading' ? chalk.red : chalk.dim;
+        console.log(color(`\nTrend: ${trend.recentScores.join(' → ')} ${arrow}`));
+    }
+    console.log(chalk.yellow(`\nFull report: ${reportPath}`));
+    if (report.status === 'FAIL') {
+        console.log(chalk.yellow('Fix packet:  rigour-fix-packet.json'));
+    }
+    console.log(chalk.dim(`Finished in ${report.stats.duration_ms}ms`));
+    // --- Next steps ---
+    console.log('');
+    if (report.status === 'FAIL') {
+        console.log(chalk.bold('Next steps:'));
+        console.log(`  ${chalk.cyan('rigour explain')}      — get plain-English fix suggestions`);
+        console.log(`  ${chalk.cyan('rigour init')}         — add quality gates to your project (blocks AI from repeating this)`);
+        console.log(`  ${chalk.cyan('rigour check --ci')}   — enforce in CI/CD pipeline`);
+    }
+    else {
+        console.log(chalk.green.bold('✓ This repo is clean. Add it to CI to keep it that way:'));
+        console.log(`  ${chalk.cyan('rigour init')}  — write quality gates to rigour.yml + CI config`);
+    }
+}
+function renderCoverageWarnings(stackSignals) {
+    const gaps = [];
+    for (const language of stackSignals.languages) {
+        const supportedBy = Object.entries(HEADLINE_GATE_SUPPORT)
+            .filter(([, languages]) => languages.includes(language))
+            .map(([gateId]) => gateId);
+        if (supportedBy.length < 3) {
+            gaps.push(`${language}: partial support (${supportedBy.join(', ') || 'none'})`);
+        }
+    }
+    if (stackSignals.hasDocker || stackSignals.hasTerraform) {
+        gaps.push('Infra files detected (Docker/Terraform) but no dedicated vulnerability/drift gate yet');
+    }
+    if (stackSignals.hasSql) {
+        gaps.push('SQL files detected but no dedicated .sql static gate yet (string-level SQL checks only)');
+    }
+    if (gaps.length > 0) {
+        console.log(chalk.yellow('Coverage gaps to close:'));
+        gaps.forEach(gap => console.log(chalk.yellow(`  - ${gap}`)));
+    }
+}
+function extractHallucinatedImports(failures) {
+    const fakeImports = [];
+    for (const failure of failures) {
+        if (failure.id !== 'hallucinated-imports')
+            continue;
+        const matches = failure.details.matchAll(/import '([^']+)'/g);
+        for (const match of matches) {
+            fakeImports.push(match[1]);
+        }
+    }
+    return fakeImports;
+}

package/dist/commands/scan.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/commands/scan.test.js

@@ -0,0 +1,64 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import fs from 'fs-extra';
+import path from 'path';
+import os from 'os';
+import { scanCommand } from './scan.js';
+describe('scanCommand', () => {
+    let testDir;
+    beforeEach(async () => {
+        testDir = await fs.mkdtemp(path.join(os.tmpdir(), 'rigour-scan-test-'));
+        vi.spyOn(process, 'exit').mockImplementation(() => undefined);
+        vi.spyOn(console, 'log').mockImplementation(() => { });
+        vi.spyOn(console, 'error').mockImplementation(() => { });
+    });
+    afterEach(async () => {
+        await fs.remove(testDir);
+        vi.restoreAllMocks();
+    });
+    it('runs in zero-config mode without rigour.yml', async () => {
+        await fs.writeJson(path.join(testDir, 'package.json'), { name: 'scan-zero-config-test' });
+        await fs.writeFile(path.join(testDir, 'index.js'), "import fake from 'totally-fake-package';\nconsole.log(fake);\n");
+        await expect(scanCommand(testDir, [], {})).resolves.not.toThrow();
+        expect(process.exit).toHaveBeenCalled();
+        expect(await fs.pathExists(path.join(testDir, 'rigour-report.json'))).toBe(true);
+    }, 30_000);
+    it('uses provided config path when passed', async () => {
+        await fs.writeFile(path.join(testDir, 'app.js'), "export const ok = 42;\n");
+        await fs.writeFile(path.join(testDir, 'scan-config.yml'), `
+version: 1
+gates:
+  required_files: []
+  forbid_todos: false
+  forbid_fixme: false
+  context:
+    enabled: false
+  environment:
+    enabled: false
+  retry_loop_breaker:
+    enabled: false
+  security:
+    enabled: false
+  duplication_drift:
+    enabled: false
+  hallucinated_imports:
+    enabled: false
+  inconsistent_error_handling:
+    enabled: false
+  context_window_artifacts:
+    enabled: false
+  promise_safety:
+    enabled: false
+  phantom_apis:
+    enabled: false
+  deprecated_apis:
+    enabled: false
+  test_quality:
+    enabled: false
+output:
+  report_path: scan-report.json
+`);
+        await expect(scanCommand(testDir, [], { config: 'scan-config.yml' })).resolves.not.toThrow();
+        expect(process.exit).toHaveBeenCalledWith(0);
+        expect(await fs.pathExists(path.join(testDir, 'scan-report.json'))).toBe(true);
+    }, 30_000);
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rigour-labs/cli",
-  "version": "3.0.4",
+  "version": "3.0.6",
   "description": "CLI quality gates for AI-generated code. Forces AI agents (Claude, Cursor, Copilot) to meet strict engineering standards with PASS/FAIL enforcement.",
   "license": "MIT",
   "homepage": "https://rigour.run",
@@ -44,7 +44,7 @@
     "inquirer": "9.2.16",
     "ora": "^8.0.1",
     "yaml": "^2.8.2",
-    "@rigour-labs/core": "3.0.4"
+    "@rigour-labs/core": "3.0.6"
   },
   "devDependencies": {
     "@types/fs-extra": "^11.0.4",