@rigour-labs/core 4.3.0 → 4.3.2

package/dist/gates/frontend-secret-exposure.d.ts

@@ -0,0 +1,27 @@
+import { Gate, GateContext } from './base.js';
+import { Failure, Provenance } from '../types/index.js';
+export interface FrontendSecretExposureConfig {
+    enabled?: boolean;
+    block_on_severity?: 'critical' | 'high' | 'medium' | 'low';
+    check_process_env?: boolean;
+    check_import_meta_env?: boolean;
+    secret_env_name_patterns?: string[];
+    safe_public_prefixes?: string[];
+    frontend_path_patterns?: string[];
+    server_path_patterns?: string[];
+    allowlist_env_names?: string[];
+}
+export declare class FrontendSecretExposureGate extends Gate {
+    private config;
+    private severityOrder;
+    constructor(config?: FrontendSecretExposureConfig);
+    protected get provenance(): Provenance;
+    run(context: GateContext): Promise<Failure[]>;
+    private shouldSkipFile;
+    private isClientBundled;
+    private isServerOnlyContent;
+    private findEnvExposures;
+    private collectMatches;
+    private isSecretLikeEnvName;
+    private matchesAnyPattern;
+}

package/dist/gates/frontend-secret-exposure.js

@@ -0,0 +1,174 @@
+import { Gate } from './base.js';
+import { FileScanner } from '../utils/scanner.js';
+import { Logger } from '../utils/logger.js';
+import fs from 'fs-extra';
+import path from 'path';
+const DEFAULT_SECRET_ENV_NAME_PATTERNS = [
+    '(?:^|_)(?:secret|private)(?:_|$)',
+    '(?:^|_)(?:token|api[_-]?key|access[_-]?key|client[_-]?secret|signing|webhook)(?:_|$)',
+    '(?:^|_)(?:db[_-]?url|database[_-]?url|connection[_-]?string)(?:_|$)',
+];
+const DEFAULT_SAFE_PUBLIC_PREFIXES = [
+    'NEXT_PUBLIC_',
+    'VITE_',
+    'PUBLIC_',
+    'NUXT_PUBLIC_',
+    'REACT_APP_',
+];
+const DEFAULT_FRONTEND_PATH_PATTERNS = [
+    '(^|/)pages/(?!api/)',
+    '(^|/)components/',
+    '(^|/)src/components/',
+    '(^|/)src/views/',
+    '(^|/)src/app/',
+    '(^|/)app/(?!api/)',
+    '(^|/)views/',
+    '(^|/)public/',
+];
+const DEFAULT_SERVER_PATH_PATTERNS = [
+    '(^|/)pages/api/',
+    '(^|/)src/pages/api/',
+    '(^|/)app/api/',
+    '(^|/)src/app/api/',
+    '\\.server\\.(?:ts|tsx|js|jsx|mjs|cjs)$',
+];
+export class FrontendSecretExposureGate extends Gate {
+    config;
+    severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+    constructor(config = {}) {
+        super('frontend-secret-exposure', 'Frontend Secret Exposure Detection');
+        this.config = {
+            enabled: config.enabled ?? true,
+            block_on_severity: config.block_on_severity ?? 'high',
+            check_process_env: config.check_process_env ?? true,
+            check_import_meta_env: config.check_import_meta_env ?? true,
+            secret_env_name_patterns: config.secret_env_name_patterns ?? DEFAULT_SECRET_ENV_NAME_PATTERNS,
+            safe_public_prefixes: config.safe_public_prefixes ?? DEFAULT_SAFE_PUBLIC_PREFIXES,
+            frontend_path_patterns: config.frontend_path_patterns ?? DEFAULT_FRONTEND_PATH_PATTERNS,
+            server_path_patterns: config.server_path_patterns ?? DEFAULT_SERVER_PATH_PATTERNS,
+            allowlist_env_names: config.allowlist_env_names ?? [],
+        };
+    }
+    get provenance() { return 'security'; }
+    async run(context) {
+        if (!this.config.enabled)
+            return [];
+        const files = await FileScanner.findFiles({
+            cwd: context.cwd,
+            patterns: ['**/*.{ts,tsx,js,jsx,mjs,cjs}'],
+            ignore: [...(context.ignore || []), '**/node_modules/**', '**/dist/**', '**/build/**', '**/.next/**', '**/coverage/**'],
+        });
+        const scanFiles = files.filter(file => !this.shouldSkipFile(file));
+        const findings = [];
+        Logger.info(`Frontend Secret Exposure Gate: Scanning ${scanFiles.length} files`);
+        for (const file of scanFiles) {
+            const fullPath = path.join(context.cwd, file);
+            let content = '';
+            try {
+                content = await fs.readFile(fullPath, 'utf-8');
+            }
+            catch {
+                continue;
+            }
+            if (!this.isClientBundled(file, content))
+                continue;
+            findings.push(...this.findEnvExposures(file, content));
+        }
+        findings.sort((a, b) => this.severityOrder[a.severity] - this.severityOrder[b.severity]);
+        const threshold = this.severityOrder[this.config.block_on_severity];
+        return findings
+            .filter(f => this.severityOrder[f.severity] <= threshold)
+            .map(f => this.createFailure(`Potential frontend secret exposure: ${f.source}.${f.envVar} is referenced in client-bundled code.`, [f.file], 'Move secret usage to server-only code (API route/server action) and expose only public-safe values.', 'Security: Frontend Secret Exposure', f.line, f.line, f.severity));
+    }
+    shouldSkipFile(file) {
+        const normalized = file.replace(/\\/g, '/');
+        if (/\.(test|spec)\.(?:ts|tsx|js|jsx|mjs|cjs)$/i.test(normalized))
+            return true;
+        if (/\/(?:__tests__|tests|test|__test__|e2e|fixtures|mocks)\//.test(`/${normalized}`))
+            return true;
+        if (/\/(?:examples|studio-dist)\//.test(`/${normalized}`))
+            return true;
+        return false;
+    }
+    isClientBundled(file, content) {
+        const normalized = file.replace(/\\/g, '/');
+        if (this.matchesAnyPattern(normalized, this.config.server_path_patterns))
+            return false;
+        if (this.isServerOnlyContent(content))
+            return false;
+        if (/^\s*['"]use client['"]\s*;?/m.test(content))
+            return true;
+        if (this.matchesAnyPattern(normalized, this.config.frontend_path_patterns))
+            return true;
+        return false;
+    }
+    isServerOnlyContent(content) {
+        if (/from\s+['"]server-only['"]/.test(content))
+            return true;
+        if (/import\s+['"]server-only['"]/.test(content))
+            return true;
+        if (/export\s+async\s+function\s+getServerSideProps\s*\(/.test(content))
+            return true;
+        if (/export\s+async\s+function\s+getStaticProps\s*\(/.test(content))
+            return true;
+        if (/['"]use server['"]/.test(content))
+            return true;
+        return false;
+    }
+    findEnvExposures(file, content) {
+        const findings = [];
+        if (this.config.check_process_env) {
+            const processEnvRegex = /process\.env\.([A-Za-z_][A-Za-z0-9_]*)/g;
+            findings.push(...this.collectMatches(file, content, processEnvRegex, 'process.env'));
+        }
+        if (this.config.check_import_meta_env) {
+            const importMetaRegex = /import\.meta\.env\.([A-Za-z_][A-Za-z0-9_]*)/g;
+            findings.push(...this.collectMatches(file, content, importMetaRegex, 'import.meta.env'));
+        }
+        return findings;
+    }
+    collectMatches(file, content, regex, source) {
+        const matches = [];
+        const scanRegex = new RegExp(regex.source, 'g');
+        for (const match of content.matchAll(scanRegex)) {
+            const envVar = match[1];
+            if (!this.isSecretLikeEnvName(envVar))
+                continue;
+            const startIndex = match.index ?? 0;
+            const beforeMatch = content.slice(0, startIndex);
+            const line = beforeMatch.split('\n').length;
+            matches.push({
+                file,
+                line,
+                envVar,
+                source,
+                severity: 'high',
+            });
+        }
+        return matches;
+    }
+    isSecretLikeEnvName(envVar) {
+        if (this.config.allowlist_env_names.includes(envVar))
+            return false;
+        if (this.config.safe_public_prefixes.some(prefix => envVar.startsWith(prefix)))
+            return false;
+        return this.config.secret_env_name_patterns.some(pattern => {
+            try {
+                return new RegExp(pattern, 'i').test(envVar);
+            }
+            catch {
+                return false;
+            }
+        });
+    }
+    matchesAnyPattern(value, patterns) {
+        return patterns.some(pattern => {
+            try {
+                return new RegExp(pattern, 'i').test(value);
+            }
+            catch {
+                return false;
+            }
+        });
+    }
+}

package/dist/gates/frontend-secret-exposure.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/gates/frontend-secret-exposure.test.js

@@ -0,0 +1,95 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { FrontendSecretExposureGate } from './frontend-secret-exposure.js';
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+describe('FrontendSecretExposureGate', () => {
+    let testDir;
+    beforeEach(() => {
+        testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'frontend-secret-test-'));
+    });
+    afterEach(() => {
+        fs.rmSync(testDir, { recursive: true, force: true });
+    });
+    it('detects process.env secret usage in client-bundled file', async () => {
+        const filePath = path.join(testDir, 'src/components/Checkout.tsx');
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        fs.writeFileSync(filePath, `
+            export function Checkout() {
+                const key = process.env.STRIPE_SECRET_KEY;
+                return <div>{key}</div>;
+            }
+        `);
+        const gate = new FrontendSecretExposureGate();
+        const failures = await gate.run({ cwd: testDir });
+        expect(failures.length).toBeGreaterThan(0);
+        expect(failures[0].id).toBe('frontend-secret-exposure');
+        expect(failures[0].files).toContain('src/components/Checkout.tsx');
+    });
+    it('detects import.meta.env secret usage in frontend app path', async () => {
+        const filePath = path.join(testDir, 'src/app/page.tsx');
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        fs.writeFileSync(filePath, `
+            export default function Page() {
+                return <span>{import.meta.env.OPENAI_API_KEY}</span>;
+            }
+        `);
+        const gate = new FrontendSecretExposureGate();
+        const failures = await gate.run({ cwd: testDir });
+        expect(failures.length).toBeGreaterThan(0);
+    });
+    it('does not flag public env prefixes in client files', async () => {
+        const filePath = path.join(testDir, 'components/Header.tsx');
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        fs.writeFileSync(filePath, `
+            export const key = process.env.NEXT_PUBLIC_STRIPE_KEY;
+        `);
+        const gate = new FrontendSecretExposureGate();
+        const failures = await gate.run({ cwd: testDir });
+        expect(failures).toHaveLength(0);
+    });
+    it('does not flag server-only API route', async () => {
+        const filePath = path.join(testDir, 'pages/api/charge.ts');
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        fs.writeFileSync(filePath, `
+            export default function handler() {
+                return process.env.STRIPE_SECRET_KEY;
+            }
+        `);
+        const gate = new FrontendSecretExposureGate();
+        const failures = await gate.run({ cwd: testDir });
+        expect(failures).toHaveLength(0);
+    });
+    it('does not flag .server files', async () => {
+        const filePath = path.join(testDir, 'src/lib/payments.server.ts');
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        fs.writeFileSync(filePath, `
+            export const stripeSecret = process.env.STRIPE_SECRET_KEY;
+        `);
+        const gate = new FrontendSecretExposureGate();
+        const failures = await gate.run({ cwd: testDir });
+        expect(failures).toHaveLength(0);
+    });
+    it('respects explicit allowlist env names', async () => {
+        const filePath = path.join(testDir, 'src/views/App.tsx');
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        fs.writeFileSync(filePath, `
+            export const x = process.env.INTERNAL_TOKEN_FOR_DOCS;
+        `);
+        const gate = new FrontendSecretExposureGate({
+            allowlist_env_names: ['INTERNAL_TOKEN_FOR_DOCS'],
+        });
+        const failures = await gate.run({ cwd: testDir });
+        expect(failures).toHaveLength(0);
+    });
+    it('skips when disabled', async () => {
+        const filePath = path.join(testDir, 'src/components/Client.tsx');
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        fs.writeFileSync(filePath, `
+            export const x = process.env.OPENAI_API_KEY;
+        `);
+        const gate = new FrontendSecretExposureGate({ enabled: false });
+        const failures = await gate.run({ cwd: testDir });
+        expect(failures).toHaveLength(0);
+    });
+});

package/dist/gates/runner.js

@@ -15,6 +15,7 @@ import { RetryLoopBreakerGate } from './retry-loop-breaker.js';
 import { AgentTeamGate } from './agent-team.js';
 import { CheckpointGate } from './checkpoint.js';
 import { SecurityPatternsGate } from './security-patterns.js';
+import { FrontendSecretExposureGate } from './frontend-secret-exposure.js';
 import { DuplicationDriftGate } from './duplication-drift.js';
 import { HallucinatedImportsGate } from './hallucinated-imports.js';
 import { InconsistentErrorHandlingGate } from './inconsistent-error-handling.js';
@@ -23,6 +24,7 @@ import { PromiseSafetyGate } from './promise-safety.js';
 import { PhantomApisGate } from './phantom-apis.js';
 import { DeprecatedApisGate } from './deprecated-apis.js';
 import { TestQualityGate } from './test-quality.js';
+import { SideEffectAnalysisGate } from './side-effect-analysis.js';
 import { execa } from 'execa';
 import { Logger } from '../utils/logger.js';
 export class GateRunner {
@@ -66,6 +68,9 @@ export class GateRunner {
         if (this.config.gates.security?.enabled !== false) {
             this.gates.push(new SecurityPatternsGate(this.config.gates.security));
         }
+        if (this.config.gates.frontend_secret_exposure?.enabled !== false) {
+            this.gates.push(new FrontendSecretExposureGate(this.config.gates.frontend_secret_exposure));
+        }
         // v2.16+ AI-Native Drift Detection Gates (enabled by default)
         if (this.config.gates.duplication_drift?.enabled !== false) {
             this.gates.push(new DuplicationDriftGate(this.config.gates.duplication_drift));
@@ -93,6 +98,10 @@ export class GateRunner {
         if (this.config.gates.test_quality?.enabled !== false) {
             this.gates.push(new TestQualityGate(this.config.gates.test_quality));
         }
+        // v4.3+ Side-Effect Safety Analysis (enabled by default)
+        if (this.config.gates.side_effect_analysis?.enabled !== false) {
+            this.gates.push(new SideEffectAnalysisGate(this.config.gates.side_effect_analysis));
+        }
         // Environment Alignment Gate (Should be prioritized)
         if (this.config.gates.environment?.enabled) {
             this.gates.unshift(new EnvironmentGate(this.config.gates));

package/dist/gates/side-effect-analysis.d.ts

@@ -0,0 +1,67 @@
+/**
+ * Side-Effect Analysis Gate
+ *
+ * Context-aware detection of code patterns with real-world consequences:
+ * unbounded process spawns, runaway timers, missing circuit breakers,
+ * circular file watchers, resource leaks, and auto-restart bombs.
+ *
+ * SMART DETECTION APPROACH (not hardcoded regex):
+ * ───────────────────────────────────────────────
+ * 1. VARIABLE BINDING TRACKING: Tracks `const id = setInterval(...)` and
+ *    verifies `clearInterval(id)` exists — not just "does clearInterval
+ *    appear somewhere in the file?"
+ *
+ * 2. SCOPE-AWARE ANALYSIS: Checks cleanup is in the same function scope
+ *    as creation. A clearInterval in a completely different function doesn't
+ *    help the one that created the timer.
+ *
+ * 3. FRAMEWORK AWARENESS: Understands React useEffect cleanup returns,
+ *    Go `defer f.Close()` idiom, Python `with open()` context managers,
+ *    Java try-with-resources, C# using statements, Ruby block form.
+ *
+ * 4. PATH OVERLAP ANALYSIS: For circular triggers, extracts actual paths
+ *    from watch() and writeFile() calls and checks if they overlap.
+ *
+ * 5. BASE CASE ORDERING: For recursion, checks that the base case
+ *    (return/break) comes BEFORE the recursive call, not just that
+ *    both exist somewhere in the function.
+ *
+ * Follows the architectural patterns of:
+ * - hallucinated-imports (build context → scan → resolve → report)
+ * - promise-safety (scope-aware helpers, extractBraceBody, isInsideTryBlock)
+ *
+ * This is a CORE gate (enabled by default, provenance: ai-drift).
+ * Supports: JS/TS, Python, Go, Rust, C#, Java, Ruby
+ *
+ * @since v4.3.0
+ */
+import { Gate, GateContext } from './base.js';
+import { Failure, Provenance } from '../types/index.js';
+export interface SideEffectAnalysisConfig {
+    enabled?: boolean;
+    check_unbounded_timers?: boolean;
+    check_unbounded_loops?: boolean;
+    check_process_lifecycle?: boolean;
+    check_recursive_depth?: boolean;
+    check_resource_lifecycle?: boolean;
+    check_retry_without_limit?: boolean;
+    check_circular_triggers?: boolean;
+    check_auto_restart?: boolean;
+    ignore_patterns?: string[];
+}
+export declare class SideEffectAnalysisGate extends Gate {
+    private cfg;
+    constructor(config?: SideEffectAnalysisConfig);
+    protected get provenance(): Provenance;
+    run(context: GateContext): Promise<Failure[]>;
+    private scanFile;
+    private checkUnboundedTimers;
+    private checkProcessLifecycle;
+    private checkUnboundedLoops;
+    private checkRetryWithoutLimit;
+    private checkCircularTriggers;
+    private checkResourceLifecycle;
+    private checkRecursiveDepth;
+    private checkAutoRestart;
+    private buildFailures;
+}