@rigour-labs/core 2.21.2 → 3.0.0

package/src/gates/security-patterns.test.ts

@@ -1,162 +0,0 @@
-import { describe, it, expect, beforeEach, afterEach } from 'vitest';
-import { SecurityPatternsGate, checkSecurityPatterns } from './security-patterns.js';
-import * as fs from 'fs';
-import * as path from 'path';
-import * as os from 'os';
-
-describe('SecurityPatternsGate', () => {
-    let testDir: string;
-
-    beforeEach(() => {
-        testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'security-test-'));
-    });
-
-    afterEach(() => {
-        fs.rmSync(testDir, { recursive: true, force: true });
-    });
-
-    describe('gate initialization', () => {
-        it('should create gate with default config', () => {
-            const gate = new SecurityPatternsGate();
-            expect(gate.id).toBe('security-patterns');
-            expect(gate.title).toBe('Security Pattern Detection');
-        });
-
-        it('should skip when not enabled', async () => {
-            const gate = new SecurityPatternsGate({ enabled: false });
-            const failures = await gate.run({ cwd: testDir });
-            expect(failures).toEqual([]);
-        });
-    });
-
-    describe('SQL injection detection', () => {
-        it('should detect string concatenation in queries', async () => {
-            const filePath = path.join(testDir, 'db.ts');
-            fs.writeFileSync(filePath, `
-                const userId = req.params.id;
-                db.query("SELECT * FROM users WHERE id = " + userId + " LIMIT 1");
-            `);
-
-            const vulns = await checkSecurityPatterns(filePath);
-            expect(vulns.some(v => v.type === 'sql_injection')).toBe(true);
-        });
-
-        it('should detect template literal SQL', async () => {
-            const filePath = path.join(testDir, 'query.ts');
-            fs.writeFileSync(filePath, `
-                db.execute(\`SELECT * FROM users WHERE id = \${userId}\`);
-            `);
-
-            const vulns = await checkSecurityPatterns(filePath);
-            expect(vulns.some(v => v.type === 'sql_injection')).toBe(true);
-        });
-    });
-
-    describe('XSS detection', () => {
-        it('should detect innerHTML assignment', async () => {
-            const filePath = path.join(testDir, 'dom.js');
-            fs.writeFileSync(filePath, `
-                element.innerHTML = userInput;
-            `);
-
-            const vulns = await checkSecurityPatterns(filePath);
-            expect(vulns.some(v => v.type === 'xss')).toBe(true);
-        });
-
-        it('should detect dangerouslySetInnerHTML', async () => {
-            const filePath = path.join(testDir, 'component.tsx');
-            fs.writeFileSync(filePath, `
-                <div dangerouslySetInnerHTML={{ __html: content }} />
-            `);
-
-            const vulns = await checkSecurityPatterns(filePath);
-            expect(vulns.some(v => v.type === 'xss')).toBe(true);
-        });
-    });
-
-    describe('hardcoded secrets detection', () => {
-        it('should detect hardcoded API keys', async () => {
-            const filePath = path.join(testDir, 'config.ts');
-            fs.writeFileSync(filePath, `
-                const API_KEY = "sk-1234567890abcdefghijklmnopqrst";
-            `);
-
-            const vulns = await checkSecurityPatterns(filePath);
-            expect(vulns.some(v => v.type === 'hardcoded_secrets')).toBe(true);
-        });
-
-        it('should detect private keys', async () => {
-            const filePath = path.join(testDir, 'key.ts');
-            fs.writeFileSync(filePath, `
-                const privateKey = "-----BEGIN RSA PRIVATE KEY-----";
-            `);
-
-            const vulns = await checkSecurityPatterns(filePath);
-            expect(vulns.some(v => v.type === 'hardcoded_secrets')).toBe(true);
-        });
-
-        it('should detect password assignments', async () => {
-            const filePath = path.join(testDir, 'auth.ts');
-            fs.writeFileSync(filePath, `
-                const password = "supersecretpassword123";
-            `);
-
-            const vulns = await checkSecurityPatterns(filePath);
-            expect(vulns.some(v => v.type === 'hardcoded_secrets')).toBe(true);
-        });
-    });
-
-    describe('insecure randomness detection', () => {
-        it('should detect Math.random usage', async () => {
-            const filePath = path.join(testDir, 'token.ts');
-            fs.writeFileSync(filePath, `
-                const token = Math.random().toString(36);
-            `);
-
-            const vulns = await checkSecurityPatterns(filePath);
-            expect(vulns.some(v => v.type === 'insecure_randomness')).toBe(true);
-        });
-    });
-
-    describe('command injection detection', () => {
-        it('should detect exec with user input', async () => {
-            const filePath = path.join(testDir, 'shell.ts');
-            fs.writeFileSync(filePath, `
-                exec(\`ls \${req.query.path}\`);
-            `);
-
-            const vulns = await checkSecurityPatterns(filePath);
-            expect(vulns.some(v => v.type === 'command_injection')).toBe(true);
-        });
-    });
-
-    describe('severity filtering', () => {
-        it('should block on high severity by default', async () => {
-            const gate = new SecurityPatternsGate({ enabled: true });
-
-            const filePath = path.join(testDir, 'test.ts');
-            fs.writeFileSync(filePath, `
-                element.innerHTML = userInput;
-            `);
-
-            const failures = await gate.run({ cwd: testDir });
-            expect(failures.length).toBeGreaterThan(0);
-        });
-
-        it('should respect block_on_severity threshold', async () => {
-            const gate = new SecurityPatternsGate({
-                enabled: true,
-                block_on_severity: 'critical'
-            });
-
-            // innerHTML is 'high', not 'critical'
-            const filePath = path.join(testDir, 'test.ts');
-            fs.writeFileSync(filePath, `
-                element.innerHTML = userInput;
-            `);
-
-            const failures = await gate.run({ cwd: testDir });
-            expect(failures).toHaveLength(0); // High severity not blocked
-        });
-    });
-});

package/src/gates/security-patterns.ts

@@ -1,305 +0,0 @@
-/**
- * Security Patterns Gate
- * 
- * Detects code-level security vulnerabilities for frontier models
- * that may generate insecure patterns at scale.
- * 
- * Patterns covered:
- * - SQL Injection
- * - XSS (Cross-Site Scripting)
- * - Path Traversal
- * - Hardcoded Secrets
- * - Insecure Randomness
- * - Command Injection
- * 
- * @since v2.14.0
- */
-
-import { Gate, GateContext } from './base.js';
-import { Failure } from '../types/index.js';
-import { FileScanner } from '../utils/scanner.js';
-import { Logger } from '../utils/logger.js';
-import fs from 'fs-extra';
-import path from 'path';
-
-export interface SecurityVulnerability {
-    type: string;
-    severity: 'critical' | 'high' | 'medium' | 'low';
-    file: string;
-    line: number;
-    match: string;
-    description: string;
-    cwe?: string;
-}
-
-export interface SecurityPatternsConfig {
-    enabled?: boolean;
-    sql_injection?: boolean;
-    xss?: boolean;
-    path_traversal?: boolean;
-    hardcoded_secrets?: boolean;
-    insecure_randomness?: boolean;
-    command_injection?: boolean;
-    block_on_severity?: 'critical' | 'high' | 'medium' | 'low';
-}
-
-// Pattern definitions with regex and metadata
-const VULNERABILITY_PATTERNS: {
-    type: string;
-    regex: RegExp;
-    severity: 'critical' | 'high' | 'medium' | 'low';
-    description: string;
-    cwe: string;
-    languages: string[];
-}[] = [
-        // SQL Injection
-        {
-            type: 'sql_injection',
-            regex: /(?:execute|query|raw|exec)\s*\(\s*[`'"].*\$\{.+\}|`\s*\+\s*\w+|\$\{.+\}.*(?:SELECT|INSERT|UPDATE|DELETE|DROP)/gi,
-            severity: 'critical',
-            description: 'Potential SQL injection: User input concatenated into SQL query',
-            cwe: 'CWE-89',
-            languages: ['ts', 'js', 'py']
-        },
-        {
-            type: 'sql_injection',
-            regex: /\.query\s*\(\s*['"`].*\+.*\+.*['"`]\s*\)/g,
-            severity: 'critical',
-            description: 'SQL query built with string concatenation',
-            cwe: 'CWE-89',
-            languages: ['ts', 'js']
-        },
-        // XSS
-        {
-            type: 'xss',
-            regex: /innerHTML\s*=\s*(?!\s*['"`]\s*['"`])[^;]+/g,
-            severity: 'high',
-            description: 'Potential XSS: innerHTML assignment with dynamic content',
-            cwe: 'CWE-79',
-            languages: ['ts', 'js', 'tsx', 'jsx']
-        },
-        {
-            type: 'xss',
-            regex: /dangerouslySetInnerHTML\s*=\s*\{/g,
-            severity: 'high',
-            description: 'dangerouslySetInnerHTML usage (ensure content is sanitized)',
-            cwe: 'CWE-79',
-            languages: ['tsx', 'jsx']
-        },
-        {
-            type: 'xss',
-            regex: /document\.write\s*\(/g,
-            severity: 'high',
-            description: 'document.write is dangerous for XSS',
-            cwe: 'CWE-79',
-            languages: ['ts', 'js']
-        },
-        // Path Traversal
-        {
-            type: 'path_traversal',
-            regex: /(?:readFile|writeFile|readdir|unlink|rmdir)\s*\([^)]*(?:req\.(?:params|query|body)|\.\.\/)/g,
-            severity: 'high',
-            description: 'Potential path traversal: File operation with user input',
-            cwe: 'CWE-22',
-            languages: ['ts', 'js']
-        },
-        {
-            type: 'path_traversal',
-            regex: /path\.join\s*\([^)]*req\./g,
-            severity: 'medium',
-            description: 'path.join with request data (verify input sanitization)',
-            cwe: 'CWE-22',
-            languages: ['ts', 'js']
-        },
-        // Hardcoded Secrets
-        {
-            type: 'hardcoded_secrets',
-            regex: /(?:password|secret|api_key|apikey|auth_token|access_token|private_key)\s*[:=]\s*['"][^'"]{8,}['"]/gi,
-            severity: 'critical',
-            description: 'Hardcoded secret detected in code',
-            cwe: 'CWE-798',
-            languages: ['ts', 'js', 'py', 'java', 'go']
-        },
-        {
-            type: 'hardcoded_secrets',
-            regex: /(?:sk-|pk-|rk-|ghp_|gho_|ghu_|ghs_|ghr_)[a-zA-Z0-9]{20,}/g,
-            severity: 'critical',
-            description: 'API key pattern detected (OpenAI, GitHub, etc.)',
-            cwe: 'CWE-798',
-            languages: ['*']
-        },
-        {
-            type: 'hardcoded_secrets',
-            regex: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g,
-            severity: 'critical',
-            description: 'Private key embedded in source code',
-            cwe: 'CWE-798',
-            languages: ['*']
-        },
-        // Insecure Randomness
-        {
-            type: 'insecure_randomness',
-            regex: /Math\.random\s*\(\s*\)/g,
-            severity: 'medium',
-            description: 'Math.random() is not cryptographically secure',
-            cwe: 'CWE-338',
-            languages: ['ts', 'js', 'tsx', 'jsx']
-        },
-        // Command Injection
-        {
-            type: 'command_injection',
-            regex: /(?:exec|spawn|execSync|spawnSync)\s*\([^)]*(?:req\.|`.*\$\{)/g,
-            severity: 'critical',
-            description: 'Potential command injection: shell execution with user input',
-            cwe: 'CWE-78',
-            languages: ['ts', 'js']
-        },
-        {
-            type: 'command_injection',
-            regex: /child_process.*\s*\.\s*(?:exec|spawn)\s*\(/g,
-            severity: 'high',
-            description: 'child_process usage detected (verify input sanitization)',
-            cwe: 'CWE-78',
-            languages: ['ts', 'js']
-        },
-    ];
-
-export class SecurityPatternsGate extends Gate {
-    private config: SecurityPatternsConfig;
-    private severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
-
-    constructor(config: SecurityPatternsConfig = {}) {
-        super('security-patterns', 'Security Pattern Detection');
-        this.config = {
-            enabled: config.enabled ?? true,
-            sql_injection: config.sql_injection ?? true,
-            xss: config.xss ?? true,
-            path_traversal: config.path_traversal ?? true,
-            hardcoded_secrets: config.hardcoded_secrets ?? true,
-            insecure_randomness: config.insecure_randomness ?? true,
-            command_injection: config.command_injection ?? true,
-            block_on_severity: config.block_on_severity ?? 'high',
-        };
-    }
-
-    async run(context: GateContext): Promise<Failure[]> {
-        if (!this.config.enabled) {
-            return [];
-        }
-
-        const failures: Failure[] = [];
-        const vulnerabilities: SecurityVulnerability[] = [];
-
-        const files = await FileScanner.findFiles({
-            cwd: context.cwd,
-            patterns: ['**/*.{ts,js,tsx,jsx,py,java,go}'],
-        });
-
-        Logger.info(`Security Patterns Gate: Scanning ${files.length} files`);
-
-        for (const file of files) {
-            try {
-                const fullPath = path.join(context.cwd, file);
-                const content = await fs.readFile(fullPath, 'utf-8');
-                const ext = path.extname(file).slice(1);
-
-                this.scanFileForVulnerabilities(content, file, ext, vulnerabilities);
-            } catch (e) { }
-        }
-
-        // Filter by enabled checks
-        const filteredVulns = vulnerabilities.filter(v => {
-            switch (v.type) {
-                case 'sql_injection': return this.config.sql_injection;
-                case 'xss': return this.config.xss;
-                case 'path_traversal': return this.config.path_traversal;
-                case 'hardcoded_secrets': return this.config.hardcoded_secrets;
-                case 'insecure_randomness': return this.config.insecure_randomness;
-                case 'command_injection': return this.config.command_injection;
-                default: return true;
-            }
-        });
-
-        // Sort by severity
-        filteredVulns.sort((a, b) =>
-            this.severityOrder[a.severity] - this.severityOrder[b.severity]
-        );
-
-        // Convert to failures based on block_on_severity threshold
-        const blockThreshold = this.severityOrder[this.config.block_on_severity ?? 'high'];
-
-        for (const vuln of filteredVulns) {
-            if (this.severityOrder[vuln.severity] <= blockThreshold) {
-                failures.push(this.createFailure(
-                    `[${vuln.cwe}] ${vuln.description}`,
-                    [vuln.file],
-                    `Found: "${vuln.match.slice(0, 60)}..." - Use parameterized queries/sanitization.`,
-                    `Security: ${vuln.type.replace('_', ' ').toUpperCase()}`,
-                    vuln.line,
-                    vuln.line
-                ));
-            }
-        }
-
-        if (filteredVulns.length > 0 && failures.length === 0) {
-            // Vulnerabilities found but below threshold - log info
-            Logger.info(`Security scan found ${filteredVulns.length} issues below ${this.config.block_on_severity} threshold`);
-        }
-
-        return failures;
-    }
-
-    private scanFileForVulnerabilities(
-        content: string,
-        file: string,
-        ext: string,
-        vulnerabilities: SecurityVulnerability[]
-    ): void {
-        const lines = content.split('\n');
-
-        for (const pattern of VULNERABILITY_PATTERNS) {
-            // Check if pattern applies to this file type
-            if (!pattern.languages.includes('*') && !pattern.languages.includes(ext)) {
-                continue;
-            }
-
-            // Reset regex state
-            pattern.regex.lastIndex = 0;
-
-            let match;
-            while ((match = pattern.regex.exec(content)) !== null) {
-                // Find line number
-                const beforeMatch = content.slice(0, match.index);
-                const lineNumber = beforeMatch.split('\n').length;
-
-                vulnerabilities.push({
-                    type: pattern.type,
-                    severity: pattern.severity,
-                    file,
-                    line: lineNumber,
-                    match: match[0],
-                    description: pattern.description,
-                    cwe: pattern.cwe,
-                });
-            }
-        }
-    }
-}
-
-/**
- * Quick helper to check a single file for security issues
- */
-export async function checkSecurityPatterns(
-    filePath: string,
-    config: SecurityPatternsConfig = { enabled: true }
-): Promise<SecurityVulnerability[]> {
-    const gate = new SecurityPatternsGate(config);
-    const content = await fs.readFile(filePath, 'utf-8');
-    const ext = path.extname(filePath).slice(1);
-    const vulnerabilities: SecurityVulnerability[] = [];
-
-    // Use the private method via reflection for testing
-    (gate as any).scanFileForVulnerabilities(content, filePath, ext, vulnerabilities);
-
-    return vulnerabilities;
-}

package/src/gates/structure.ts

@@ -1,36 +0,0 @@
-import fs from 'fs-extra';
-import path from 'path';
-import { Gate, GateContext } from './base.js';
-import { Failure } from '../types/index.js';
-
-export interface StructureGateConfig {
-    requiredFiles: string[];
-}
-
-export class StructureGate extends Gate {
-    constructor(private config: StructureGateConfig) {
-        super('structure-check', 'Project Structure');
-    }
-
-    async run(context: GateContext): Promise<Failure[]> {
-        const missing: string[] = [];
-        for (const file of this.config.requiredFiles) {
-            const filePath = path.join(context.cwd, file);
-            if (!(await fs.pathExists(filePath))) {
-                missing.push(file);
-            }
-        }
-
-        if (missing.length > 0) {
-            return [
-                this.createFailure(
-                    'The following required files are missing:',
-                    missing,
-                    'Create these files to maintain project documentation and consistency.'
-                ),
-            ];
-        }
-
-        return [];
-    }
-}

package/src/index.ts

@@ -1,13 +0,0 @@
-export * from './types/index.js';
-export * from './gates/runner.js';
-export * from './discovery.js';
-export * from './services/fix-packet-service.js';
-export * from './templates/index.js';
-export * from './types/fix-packet.js';
-export { Gate, GateContext } from './gates/base.js';
-export { RetryLoopBreakerGate } from './gates/retry-loop-breaker.js';
-export * from './utils/logger.js';
-// Pattern Index is intentionally NOT exported here to prevent
-// native dependency issues (sharp/transformers) from leaking into 
-// non-AI parts of the system. 
-// Import from @rigour-labs/core/pattern-index instead.

package/src/pattern-index/embeddings.ts

@@ -1,84 +0,0 @@
-/**
- * Semantic Embedding Service
- * 
- * Uses Transformers.js for local vector embeddings.
- */
-
-/**
- * Singleton for the embedding pipeline to avoid re-loading the model.
- */
-let embeddingPipeline: any = null;
-
-/**
- * Get or initialize the embedding pipeline.
- */
-async function getPipeline() {
-    // Definitive bypass for tests to avoid native 'sharp' dependency issues
-    if (process.env.VITEST) {
-        return async (text: string) => {
-            const vector = new Array(384).fill(0);
-            for (let i = 0; i < Math.min(text.length, 384); i++) {
-                vector[i] = text.charCodeAt(i) / 255;
-            }
-            return { data: new Float32Array(vector) };
-        };
-    }
-
-    if (!embeddingPipeline) {
-        try {
-            // Dynamic import to isolate native dependency issues (like sharp)
-            const { pipeline } = await import('@xenova/transformers');
-
-            // Using a compact but high-quality model for local embeddings
-            embeddingPipeline = await pipeline('feature-extraction', 'Xenova/all-MiniLM-L6-v2');
-        } catch (error) {
-            console.error('Failed to initialize embedding pipeline:', error);
-            throw error;
-        }
-    }
-    return embeddingPipeline;
-}
-
-/**
- * Generate an embedding for a piece of text.
- */
-export async function generateEmbedding(text: string): Promise<number[]> {
-    try {
-        const extractor = await getPipeline();
-        const output = await extractor(text, { pooling: 'mean', normalize: true });
-        return Array.from(output.data);
-    } catch (error) {
-        console.warn('Semantic reasoning disabled: Embedding generation failed.', error);
-        return [];
-    }
-}
-
-/**
- * Calculate cosine similarity between two vectors.
- */
-export function cosineSimilarity(v1: number[], v2: number[]): number {
-    if (!v1 || !v2 || v1.length !== v2.length || v1.length === 0) return 0;
-
-    let dotProduct = 0;
-    let norm1 = 0;
-    let norm2 = 0;
-
-    for (let i = 0; i < v1.length; i++) {
-        dotProduct += v1[i] * v2[i];
-        norm1 += v1[i] * v1[i];
-        norm2 += v2[i] * v2[i];
-    }
-
-    const denominator = Math.sqrt(norm1) * Math.sqrt(norm2);
-    return denominator === 0 ? 0 : dotProduct / denominator;
-}
-
-/**
- * Perform semantic search against a list of embeddings.
- */
-export function semanticSearch(queryVector: number[], entries: { embedding?: number[] }[]): number[] {
-    return entries.map(entry => {
-        if (!entry.embedding) return 0;
-        return cosineSimilarity(queryVector, entry.embedding);
-    });
-}

package/src/pattern-index/index.ts

@@ -1,59 +0,0 @@
-/**
- * Pattern Index - Main Export
- * 
- * This is the public API for the Pattern Index system.
- */
-
-// Types
-export type {
-    PatternType,
-    PatternEntry,
-    PatternIndex,
-    PatternIndexConfig,
-    PatternIndexStats,
-    IndexedFile,
-    PatternMatchResult,
-    PatternMatch,
-    PatternOverride,
-    StalenessResult,
-    StalenessIssue,
-    DeprecationEntry
-} from './types.js';
-
-// Indexer
-export {
-    PatternIndexer,
-    savePatternIndex,
-    loadPatternIndex,
-    getDefaultIndexPath
-} from './indexer.js';
-
-// Matcher
-export {
-    PatternMatcher,
-    checkPatternDuplicate,
-    type MatcherConfig
-} from './matcher.js';
-
-// Staleness Detection
-export {
-    StalenessDetector,
-    checkCodeStaleness
-} from './staleness.js';
-
-// Security Detection
-export {
-    SecurityDetector
-} from './security.js';
-
-// Override Management
-export {
-    OverrideManager,
-    loadConfigOverrides
-} from './overrides.js';
-// Embeddings
-export {
-    generateEmbedding,
-    semanticSearch,
-    cosineSimilarity
-} from './embeddings.js';