@safetnsr/vet 1.2.0 → 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/checks/permissions.d.ts +2 -0
- package/dist/checks/permissions.js +248 -0
- package/dist/checks/tests.d.ts +2 -0
- package/dist/checks/tests.js +228 -0
- package/dist/cli.js +34 -4
- package/package.json +1 -1
|
@@ -0,0 +1,248 @@
|
|
|
1
|
+
import { join, resolve, isAbsolute } from 'node:path';
|
|
2
|
+
import { homedir } from 'node:os';
|
|
3
|
+
import { readFile, fileExists } from '../util.js';
|
|
4
|
+
// ── Sensitive directories that trigger DANGER if MCP server writes there ──
|
|
5
|
+
const SENSITIVE_DIRS = [
|
|
6
|
+
'~/.ssh',
|
|
7
|
+
'~/.aws',
|
|
8
|
+
'/etc',
|
|
9
|
+
'/var/www',
|
|
10
|
+
];
|
|
11
|
+
function expandHome(p) {
|
|
12
|
+
if (p.startsWith('~/'))
|
|
13
|
+
return join(homedir(), p.slice(2));
|
|
14
|
+
if (p === '~')
|
|
15
|
+
return homedir();
|
|
16
|
+
return p;
|
|
17
|
+
}
|
|
18
|
+
function isSensitiveDir(p) {
|
|
19
|
+
const expanded = expandHome(p);
|
|
20
|
+
return SENSITIVE_DIRS.some(d => {
|
|
21
|
+
const expandedSensitive = expandHome(d);
|
|
22
|
+
return expanded === expandedSensitive || expanded.startsWith(expandedSensitive + '/');
|
|
23
|
+
});
|
|
24
|
+
}
|
|
25
|
+
function isOutsideCwd(p, cwd) {
|
|
26
|
+
const expanded = expandHome(p);
|
|
27
|
+
const abs = isAbsolute(expanded) ? expanded : resolve(cwd, expanded);
|
|
28
|
+
const resolvedCwd = resolve(cwd);
|
|
29
|
+
return !abs.startsWith(resolvedCwd + '/') && abs !== resolvedCwd;
|
|
30
|
+
}
|
|
31
|
+
/** Score helper */
|
|
32
|
+
function applyPenalty(score, severity) {
|
|
33
|
+
const penalties = { error: 30, warning: 15, info: 5 };
|
|
34
|
+
return Math.max(0, score - penalties[severity]);
|
|
35
|
+
}
|
|
36
|
+
// ── A. Scan .claude/settings.json ─────────────────────────────────────────
|
|
37
|
+
function checkSettingsJson(cwd, issues) {
|
|
38
|
+
const settingsPath = join(cwd, '.claude', 'settings.json');
|
|
39
|
+
if (!fileExists(settingsPath))
|
|
40
|
+
return;
|
|
41
|
+
const raw = readFile(settingsPath);
|
|
42
|
+
if (!raw)
|
|
43
|
+
return;
|
|
44
|
+
let settings;
|
|
45
|
+
try {
|
|
46
|
+
settings = JSON.parse(raw);
|
|
47
|
+
}
|
|
48
|
+
catch {
|
|
49
|
+
issues.push({
|
|
50
|
+
severity: 'warning',
|
|
51
|
+
message: '.claude/settings.json is not valid JSON — cannot audit permissions',
|
|
52
|
+
file: '.claude/settings.json',
|
|
53
|
+
fixable: false,
|
|
54
|
+
});
|
|
55
|
+
return;
|
|
56
|
+
}
|
|
57
|
+
// allowedTools containing bare "Bash" or "Bash(*)"
|
|
58
|
+
const allowedTools = settings.allowedTools;
|
|
59
|
+
if (Array.isArray(allowedTools)) {
|
|
60
|
+
for (const tool of allowedTools) {
|
|
61
|
+
if (typeof tool === 'string') {
|
|
62
|
+
if (tool === 'Bash' || tool === 'Bash(*)') {
|
|
63
|
+
issues.push({
|
|
64
|
+
severity: 'error',
|
|
65
|
+
message: `allowedTools contains "${tool}" without path restrictions — unrestricted shell access`,
|
|
66
|
+
file: '.claude/settings.json',
|
|
67
|
+
fixable: true,
|
|
68
|
+
fixHint: `Replace "${tool}" with specific allowed commands, e.g. "Bash(npm run *)"`,
|
|
69
|
+
});
|
|
70
|
+
}
|
|
71
|
+
}
|
|
72
|
+
}
|
|
73
|
+
}
|
|
74
|
+
// permissions.allow with wildcards
|
|
75
|
+
const permissions = settings.permissions;
|
|
76
|
+
if (permissions && Array.isArray(permissions.allow)) {
|
|
77
|
+
for (const rule of permissions.allow) {
|
|
78
|
+
if (typeof rule === 'string' && (rule === 'Bash(*)' || rule === '**' || rule.includes('**'))) {
|
|
79
|
+
issues.push({
|
|
80
|
+
severity: 'error',
|
|
81
|
+
message: `permissions.allow contains wildcard "${rule}" — grants broad access`,
|
|
82
|
+
file: '.claude/settings.json',
|
|
83
|
+
fixable: true,
|
|
84
|
+
fixHint: 'Remove wildcard rules and enumerate specific allowed operations',
|
|
85
|
+
});
|
|
86
|
+
}
|
|
87
|
+
}
|
|
88
|
+
}
|
|
89
|
+
// defaultMode: "bypassPermissions"
|
|
90
|
+
if (settings.defaultMode === 'bypassPermissions') {
|
|
91
|
+
issues.push({
|
|
92
|
+
severity: 'error',
|
|
93
|
+
message: 'defaultMode is "bypassPermissions" — skips all permission checks',
|
|
94
|
+
file: '.claude/settings.json',
|
|
95
|
+
fixable: true,
|
|
96
|
+
fixHint: 'Remove defaultMode or set to "default"',
|
|
97
|
+
});
|
|
98
|
+
}
|
|
99
|
+
// No blockedTools or deny list
|
|
100
|
+
const hasBlockedTools = Array.isArray(settings.blockedTools) && settings.blockedTools.length > 0;
|
|
101
|
+
const hasDenyList = permissions && Array.isArray(permissions.deny) && permissions.deny.length > 0;
|
|
102
|
+
if (!hasBlockedTools && !hasDenyList) {
|
|
103
|
+
issues.push({
|
|
104
|
+
severity: 'warning',
|
|
105
|
+
message: 'No blockedTools or deny list defined — all unlisted tools remain available',
|
|
106
|
+
file: '.claude/settings.json',
|
|
107
|
+
fixable: true,
|
|
108
|
+
fixHint: 'Add blockedTools: ["Bash", "Write"] to restrict dangerous operations',
|
|
109
|
+
});
|
|
110
|
+
}
|
|
111
|
+
// ── B. MCP server configs ────────────────────────────────────────────────
|
|
112
|
+
checkMcpServers(cwd, settings, '.claude/settings.json', issues);
|
|
113
|
+
}
|
|
114
|
+
// ── B. MCP server analysis ─────────────────────────────────────────────────
|
|
115
|
+
function checkMcpServers(cwd, settings, filePath, issues) {
|
|
116
|
+
const mcpServers = settings.mcpServers;
|
|
117
|
+
if (!mcpServers || typeof mcpServers !== 'object')
|
|
118
|
+
return;
|
|
119
|
+
for (const [serverName, serverConfig] of Object.entries(mcpServers)) {
|
|
120
|
+
if (typeof serverConfig !== 'object' || serverConfig === null)
|
|
121
|
+
continue;
|
|
122
|
+
const config = serverConfig;
|
|
123
|
+
// Check server args for filesystem paths
|
|
124
|
+
const args = config.args;
|
|
125
|
+
const isFilesystemServer = (typeof config.command === 'string' && config.command.includes('filesystem')) ||
|
|
126
|
+
(Array.isArray(args) && args.some((a) => typeof a === 'string' && a.includes('filesystem')));
|
|
127
|
+
// Detect if server is read-only
|
|
128
|
+
const isReadOnly = Array.isArray(args) && args.some((a) => typeof a === 'string' && (a === '--read-only' || a === 'readonly' || a === '--readonly'));
|
|
129
|
+
// Collect root paths from args
|
|
130
|
+
const rootPaths = [];
|
|
131
|
+
if (Array.isArray(args)) {
|
|
132
|
+
for (const arg of args) {
|
|
133
|
+
if (typeof arg === 'string' && !arg.startsWith('-') && (arg.startsWith('/') || arg.startsWith('~/') || arg.startsWith('.'))) {
|
|
134
|
+
rootPaths.push(arg);
|
|
135
|
+
}
|
|
136
|
+
}
|
|
137
|
+
}
|
|
138
|
+
// Also check explicit root config
|
|
139
|
+
if (typeof config.root === 'string') {
|
|
140
|
+
rootPaths.push(config.root);
|
|
141
|
+
}
|
|
142
|
+
if (Array.isArray(config.roots)) {
|
|
143
|
+
for (const r of config.roots) {
|
|
144
|
+
if (typeof r === 'string')
|
|
145
|
+
rootPaths.push(r);
|
|
146
|
+
}
|
|
147
|
+
}
|
|
148
|
+
if (rootPaths.length === 0) {
|
|
149
|
+
// No path restrictions at all
|
|
150
|
+
issues.push({
|
|
151
|
+
severity: 'warning',
|
|
152
|
+
message: `MCP server "${serverName}" has no explicit path restrictions`,
|
|
153
|
+
file: filePath,
|
|
154
|
+
fixable: true,
|
|
155
|
+
fixHint: `Add root path restriction to "${serverName}" in mcpServers config`,
|
|
156
|
+
});
|
|
157
|
+
continue;
|
|
158
|
+
}
|
|
159
|
+
for (const rootPath of rootPaths) {
|
|
160
|
+
// Check sensitive directory access
|
|
161
|
+
if (isSensitiveDir(rootPath)) {
|
|
162
|
+
issues.push({
|
|
163
|
+
severity: 'error',
|
|
164
|
+
message: `MCP server "${serverName}" has access to sensitive directory: ${rootPath}`,
|
|
165
|
+
file: filePath,
|
|
166
|
+
fixable: true,
|
|
167
|
+
fixHint: `Remove sensitive path "${rootPath}" from MCP server config`,
|
|
168
|
+
});
|
|
169
|
+
continue;
|
|
170
|
+
}
|
|
171
|
+
// Check if root is outside cwd and not read-only
|
|
172
|
+
if (isOutsideCwd(rootPath, cwd) && !isReadOnly) {
|
|
173
|
+
issues.push({
|
|
174
|
+
severity: 'error',
|
|
175
|
+
message: `MCP server "${serverName}" has write access outside project dir: ${rootPath}`,
|
|
176
|
+
file: filePath,
|
|
177
|
+
fixable: true,
|
|
178
|
+
fixHint: `Restrict to project directory or add --read-only flag`,
|
|
179
|
+
});
|
|
180
|
+
}
|
|
181
|
+
}
|
|
182
|
+
}
|
|
183
|
+
}
|
|
184
|
+
// ── C. CLAUDE.md and AGENTS.md text heuristics ────────────────────────────
|
|
185
|
+
const DANGEROUS_PHRASES = [
|
|
186
|
+
/full\s+access/i,
|
|
187
|
+
/unrestricted/i,
|
|
188
|
+
/\bsudo\b/i,
|
|
189
|
+
/skip\s+confirmation/i,
|
|
190
|
+
/no\s+restrictions/i,
|
|
191
|
+
];
|
|
192
|
+
function checkMarkdownFiles(cwd, issues) {
|
|
193
|
+
for (const filename of ['CLAUDE.md', 'AGENTS.md']) {
|
|
194
|
+
const filePath = join(cwd, filename);
|
|
195
|
+
if (!fileExists(filePath))
|
|
196
|
+
continue;
|
|
197
|
+
const content = readFile(filePath);
|
|
198
|
+
if (!content)
|
|
199
|
+
continue;
|
|
200
|
+
const lines = content.split('\n');
|
|
201
|
+
for (const pattern of DANGEROUS_PHRASES) {
|
|
202
|
+
for (let i = 0; i < lines.length; i++) {
|
|
203
|
+
if (pattern.test(lines[i])) {
|
|
204
|
+
const matchText = lines[i].match(pattern)?.[0] ?? pattern.source;
|
|
205
|
+
issues.push({
|
|
206
|
+
severity: 'warning',
|
|
207
|
+
message: `${filename} contains potentially dangerous instruction: "${matchText.trim()}"`,
|
|
208
|
+
file: filename,
|
|
209
|
+
line: i + 1,
|
|
210
|
+
fixable: false,
|
|
211
|
+
fixHint: `Review line ${i + 1} in ${filename} — ensure it doesn't grant unintended permissions`,
|
|
212
|
+
});
|
|
213
|
+
break; // one issue per pattern per file
|
|
214
|
+
}
|
|
215
|
+
}
|
|
216
|
+
}
|
|
217
|
+
}
|
|
218
|
+
}
|
|
219
|
+
// ── Main export ────────────────────────────────────────────────────────────
|
|
220
|
+
export function checkPermissions(cwd) {
|
|
221
|
+
const issues = [];
|
|
222
|
+
checkSettingsJson(cwd, issues);
|
|
223
|
+
checkMarkdownFiles(cwd, issues);
|
|
224
|
+
// Score: start at 100, deduct per issue
|
|
225
|
+
let score = 100;
|
|
226
|
+
for (const issue of issues) {
|
|
227
|
+
score = applyPenalty(score, issue.severity);
|
|
228
|
+
}
|
|
229
|
+
const errorCount = issues.filter(i => i.severity === 'error').length;
|
|
230
|
+
const warnCount = issues.filter(i => i.severity === 'warning').length;
|
|
231
|
+
let summary;
|
|
232
|
+
if (issues.length === 0) {
|
|
233
|
+
summary = 'no dangerous permission grants detected';
|
|
234
|
+
}
|
|
235
|
+
else if (errorCount > 0) {
|
|
236
|
+
summary = `${errorCount} dangerous grant${errorCount !== 1 ? 's' : ''} detected — review before running agent`;
|
|
237
|
+
}
|
|
238
|
+
else {
|
|
239
|
+
summary = `${warnCount} permission warning${warnCount !== 1 ? 's' : ''} — tighten config before agent session`;
|
|
240
|
+
}
|
|
241
|
+
return {
|
|
242
|
+
name: 'permissions',
|
|
243
|
+
score,
|
|
244
|
+
maxScore: 100,
|
|
245
|
+
issues,
|
|
246
|
+
summary,
|
|
247
|
+
};
|
|
248
|
+
}
|
|
@@ -0,0 +1,228 @@
|
|
|
1
|
+
import { join } from 'node:path';
|
|
2
|
+
import { readFileSync } from 'node:fs';
|
|
3
|
+
import { walkFiles } from '../util.js';
|
|
4
|
+
const TEST_FILE_RE = /\.(test|spec)\.(ts|js|tsx|jsx)$/;
|
|
5
|
+
const TEST_DIR_RE = /(?:^|[/\\])(__tests__|tests?)[/\\]/;
|
|
6
|
+
function isTestFile(relPath) {
|
|
7
|
+
return TEST_FILE_RE.test(relPath) || TEST_DIR_RE.test(relPath);
|
|
8
|
+
}
|
|
9
|
+
// Pattern 1: Tautological assertions
|
|
10
|
+
function findTautological(lines, file) {
|
|
11
|
+
const issues = [];
|
|
12
|
+
// expect(literal).toBe(literal) or .toEqual(literal)
|
|
13
|
+
const expectLiteral = /expect\(([^)]+)\)\s*\.\s*(?:toBe|toEqual)\(\s*([^)]+)\s*\)/;
|
|
14
|
+
// assert.strictEqual(x, x)
|
|
15
|
+
const assertStrictEqual = /assert\.strictEqual\(\s*([^,]+?)\s*,\s*([^)]+?)\s*\)/;
|
|
16
|
+
for (let i = 0; i < lines.length; i++) {
|
|
17
|
+
const line = lines[i];
|
|
18
|
+
const m1 = line.match(expectLiteral);
|
|
19
|
+
if (m1) {
|
|
20
|
+
const left = m1[1].trim();
|
|
21
|
+
const right = m1[2].trim();
|
|
22
|
+
if (left === right) {
|
|
23
|
+
issues.push({
|
|
24
|
+
severity: 'error',
|
|
25
|
+
message: `tautological assertion: expect(${left}).toBe/toEqual(${right})`,
|
|
26
|
+
file, line: i + 1, fixable: false,
|
|
27
|
+
fixHint: 'assert on actual behavior, not constant values',
|
|
28
|
+
});
|
|
29
|
+
}
|
|
30
|
+
}
|
|
31
|
+
const m2 = line.match(assertStrictEqual);
|
|
32
|
+
if (m2) {
|
|
33
|
+
const left = m2[1].trim();
|
|
34
|
+
const right = m2[2].trim();
|
|
35
|
+
if (left === right) {
|
|
36
|
+
issues.push({
|
|
37
|
+
severity: 'error',
|
|
38
|
+
message: `tautological assertion: assert.strictEqual(${left}, ${left})`,
|
|
39
|
+
file, line: i + 1, fixable: false,
|
|
40
|
+
fixHint: 'compare different values — input vs expected output',
|
|
41
|
+
});
|
|
42
|
+
}
|
|
43
|
+
}
|
|
44
|
+
}
|
|
45
|
+
return issues;
|
|
46
|
+
}
|
|
47
|
+
// Pattern 2: Empty test bodies
|
|
48
|
+
function findEmptyBodies(content, file) {
|
|
49
|
+
const issues = [];
|
|
50
|
+
// Match it/test with arrow or function, empty body
|
|
51
|
+
const re = /(?:^|\n)([ \t]*(?:it|test)\s*\([^,]+,\s*(?:(?:async\s+)?(?:\(\)\s*=>|\([^)]*\)\s*=>|function\s*\([^)]*\)))\s*\{([\s]*)\}\s*\))/g;
|
|
52
|
+
let m;
|
|
53
|
+
while ((m = re.exec(content)) !== null) {
|
|
54
|
+
const body = m[2];
|
|
55
|
+
// body should be empty or whitespace/comments only
|
|
56
|
+
const stripped = body.replace(/\/\/[^\n]*/g, '').replace(/\/\*[\s\S]*?\*\//g, '').trim();
|
|
57
|
+
if (stripped === '') {
|
|
58
|
+
const line = content.substring(0, m.index).split('\n').length;
|
|
59
|
+
issues.push({
|
|
60
|
+
severity: 'error',
|
|
61
|
+
message: 'empty test body — test does nothing',
|
|
62
|
+
file, line, fixable: false,
|
|
63
|
+
fixHint: 'add actual test logic or remove the test',
|
|
64
|
+
});
|
|
65
|
+
}
|
|
66
|
+
}
|
|
67
|
+
return issues;
|
|
68
|
+
}
|
|
69
|
+
// Pattern 3: Todo / skipped tests
|
|
70
|
+
function findTodoSkipped(lines, file) {
|
|
71
|
+
const issues = [];
|
|
72
|
+
const todoRe = /(?:it|test)\.todo\s*\(/;
|
|
73
|
+
const skippedRe = /(?:^|\s)(?:xit|xtest|xdescribe)\s*\(/;
|
|
74
|
+
for (let i = 0; i < lines.length; i++) {
|
|
75
|
+
if (todoRe.test(lines[i])) {
|
|
76
|
+
issues.push({
|
|
77
|
+
severity: 'warning',
|
|
78
|
+
message: 'todo test — placeholder with no implementation',
|
|
79
|
+
file, line: i + 1, fixable: false,
|
|
80
|
+
fixHint: 'implement the test or remove the placeholder',
|
|
81
|
+
});
|
|
82
|
+
}
|
|
83
|
+
if (skippedRe.test(lines[i])) {
|
|
84
|
+
issues.push({
|
|
85
|
+
severity: 'warning',
|
|
86
|
+
message: 'skipped test — disabled with x prefix',
|
|
87
|
+
file, line: i + 1, fixable: false,
|
|
88
|
+
fixHint: 'fix and re-enable or remove the skipped test',
|
|
89
|
+
});
|
|
90
|
+
}
|
|
91
|
+
}
|
|
92
|
+
return issues;
|
|
93
|
+
}
|
|
94
|
+
// Pattern 4: Zero-assertion tests
|
|
95
|
+
// We need to find test blocks with code but no assertions
|
|
96
|
+
function findZeroAssertionTests(content, file) {
|
|
97
|
+
const issues = [];
|
|
98
|
+
// Find it(...) or test(...) blocks - simplified regex for the opening
|
|
99
|
+
const testBlockRe = /(?:^|\n)([ \t]*)(?:it|test)\s*\(\s*(?:'[^']*'|"[^"]*"|`[^`]*`)\s*,\s*(?:async\s+)?(?:\(\)\s*=>|\([^)]*\)\s*=>|function\s*\([^)]*\))\s*\{/g;
|
|
100
|
+
let m;
|
|
101
|
+
while ((m = testBlockRe.exec(content)) !== null) {
|
|
102
|
+
const startIdx = m.index + m[0].length;
|
|
103
|
+
// Find matching closing brace
|
|
104
|
+
let depth = 1;
|
|
105
|
+
let i = startIdx;
|
|
106
|
+
while (i < content.length && depth > 0) {
|
|
107
|
+
if (content[i] === '{')
|
|
108
|
+
depth++;
|
|
109
|
+
else if (content[i] === '}')
|
|
110
|
+
depth--;
|
|
111
|
+
i++;
|
|
112
|
+
}
|
|
113
|
+
if (depth !== 0)
|
|
114
|
+
continue;
|
|
115
|
+
const body = content.substring(startIdx, i - 1);
|
|
116
|
+
const stripped = body.replace(/\/\/[^\n]*/g, '').replace(/\/\*[\s\S]*?\*\//g, '').trim();
|
|
117
|
+
if (stripped === '')
|
|
118
|
+
continue; // empty body handled elsewhere
|
|
119
|
+
// Check for assertion calls
|
|
120
|
+
const assertionRe = /(?:expect\s*\(|assert\.|\.should\.|toBe\s*\(|toEqual\s*\(|toMatch\s*\(|toThrow\s*\()/;
|
|
121
|
+
if (!assertionRe.test(body)) {
|
|
122
|
+
const line = content.substring(0, m.index).split('\n').length;
|
|
123
|
+
issues.push({
|
|
124
|
+
severity: 'warning',
|
|
125
|
+
message: 'test has code but no assertions',
|
|
126
|
+
file, line, fixable: false,
|
|
127
|
+
fixHint: 'add expect() or assert calls to verify behavior',
|
|
128
|
+
});
|
|
129
|
+
}
|
|
130
|
+
}
|
|
131
|
+
return issues;
|
|
132
|
+
}
|
|
133
|
+
// Pattern 5: Mock-only tests
|
|
134
|
+
function findMockOnlyTests(content, file) {
|
|
135
|
+
const issues = [];
|
|
136
|
+
const testBlockRe = /(?:^|\n)([ \t]*)(?:it|test)\s*\(\s*(?:'[^']*'|"[^"]*"|`[^`]*`)\s*,\s*(?:async\s+)?(?:\(\)\s*=>|\([^)]*\)\s*=>|function\s*\([^)]*\))\s*\{/g;
|
|
137
|
+
let m;
|
|
138
|
+
while ((m = testBlockRe.exec(content)) !== null) {
|
|
139
|
+
const startIdx = m.index + m[0].length;
|
|
140
|
+
let depth = 1;
|
|
141
|
+
let i = startIdx;
|
|
142
|
+
while (i < content.length && depth > 0) {
|
|
143
|
+
if (content[i] === '{')
|
|
144
|
+
depth++;
|
|
145
|
+
else if (content[i] === '}')
|
|
146
|
+
depth--;
|
|
147
|
+
i++;
|
|
148
|
+
}
|
|
149
|
+
if (depth !== 0)
|
|
150
|
+
continue;
|
|
151
|
+
const body = content.substring(startIdx, i - 1);
|
|
152
|
+
// Find all expect lines
|
|
153
|
+
const expectLines = body.split('\n').filter(l => /expect\s*\(/.test(l));
|
|
154
|
+
if (expectLines.length === 0)
|
|
155
|
+
continue;
|
|
156
|
+
const mockRe = /\.mock|mockFn|jest\.fn|vi\.fn/;
|
|
157
|
+
const allMock = expectLines.every(l => mockRe.test(l));
|
|
158
|
+
if (allMock) {
|
|
159
|
+
const line = content.substring(0, m.index).split('\n').length;
|
|
160
|
+
issues.push({
|
|
161
|
+
severity: 'info',
|
|
162
|
+
message: 'test only asserts on mocks — no real behavior verified',
|
|
163
|
+
file, line, fixable: false,
|
|
164
|
+
fixHint: 'add assertions on actual return values or side effects',
|
|
165
|
+
});
|
|
166
|
+
}
|
|
167
|
+
}
|
|
168
|
+
return issues;
|
|
169
|
+
}
|
|
170
|
+
// Pattern 6: Duplicate describe blocks
|
|
171
|
+
function findDuplicateDescribes(lines, file) {
|
|
172
|
+
const issues = [];
|
|
173
|
+
const describeRe = /describe\s*\(\s*(['"`])([^'"`]+)\1/;
|
|
174
|
+
const seen = new Map();
|
|
175
|
+
for (let i = 0; i < lines.length; i++) {
|
|
176
|
+
const m = lines[i].match(describeRe);
|
|
177
|
+
if (m) {
|
|
178
|
+
const name = m[2];
|
|
179
|
+
if (seen.has(name)) {
|
|
180
|
+
issues.push({
|
|
181
|
+
severity: 'info',
|
|
182
|
+
message: `duplicate describe block: "${name}"`,
|
|
183
|
+
file, line: i + 1, fixable: false,
|
|
184
|
+
fixHint: 'merge duplicate describe blocks into one',
|
|
185
|
+
});
|
|
186
|
+
}
|
|
187
|
+
else {
|
|
188
|
+
seen.set(name, i + 1);
|
|
189
|
+
}
|
|
190
|
+
}
|
|
191
|
+
}
|
|
192
|
+
return issues;
|
|
193
|
+
}
|
|
194
|
+
export function checkTests(cwd, ignore) {
|
|
195
|
+
const allFiles = walkFiles(cwd, ignore);
|
|
196
|
+
const testFiles = allFiles.filter(f => isTestFile(f));
|
|
197
|
+
const issues = [];
|
|
198
|
+
for (const rel of testFiles) {
|
|
199
|
+
let content;
|
|
200
|
+
try {
|
|
201
|
+
content = readFileSync(join(cwd, rel), 'utf-8');
|
|
202
|
+
}
|
|
203
|
+
catch {
|
|
204
|
+
continue;
|
|
205
|
+
}
|
|
206
|
+
const lines = content.split('\n');
|
|
207
|
+
issues.push(...findTautological(lines, rel));
|
|
208
|
+
issues.push(...findEmptyBodies(content, rel));
|
|
209
|
+
issues.push(...findTodoSkipped(lines, rel));
|
|
210
|
+
issues.push(...findZeroAssertionTests(content, rel));
|
|
211
|
+
issues.push(...findMockOnlyTests(content, rel));
|
|
212
|
+
issues.push(...findDuplicateDescribes(lines, rel));
|
|
213
|
+
}
|
|
214
|
+
let score = 100;
|
|
215
|
+
for (const issue of issues) {
|
|
216
|
+
if (issue.severity === 'error')
|
|
217
|
+
score -= 8;
|
|
218
|
+
else if (issue.severity === 'warning')
|
|
219
|
+
score -= 4;
|
|
220
|
+
else
|
|
221
|
+
score -= 2;
|
|
222
|
+
}
|
|
223
|
+
score = Math.max(0, score);
|
|
224
|
+
const summary = issues.length > 0
|
|
225
|
+
? `${issues.length} test anti-pattern${issues.length !== 1 ? 's' : ''} found across ${testFiles.length} test file${testFiles.length !== 1 ? 's' : ''}`
|
|
226
|
+
: 'no test anti-patterns found';
|
|
227
|
+
return { name: 'tests', score, maxScore: 100, issues, summary };
|
|
228
|
+
}
|
package/dist/cli.js
CHANGED
|
@@ -16,7 +16,9 @@ import { checkIntegrity } from './checks/integrity.js';
|
|
|
16
16
|
import { checkReceipt, runReceiptCommand } from './checks/receipt.js';
|
|
17
17
|
import { checkMemory } from './checks/memory.js';
|
|
18
18
|
import { checkVerify } from './checks/verify.js';
|
|
19
|
+
import { checkTests } from './checks/tests.js';
|
|
19
20
|
import { checkMap, renderMapReport } from './checks/map.js';
|
|
21
|
+
import { checkPermissions } from './checks/permissions.js';
|
|
20
22
|
import { score } from './scorer.js';
|
|
21
23
|
import { reportPretty, reportJSON, reportBadge } from './reporter.js';
|
|
22
24
|
const args = process.argv.slice(2);
|
|
@@ -48,6 +50,7 @@ if (flags.has('--help') || flags.has('-h')) {
|
|
|
48
50
|
npx @safetnsr/vet init generate configs + hooks
|
|
49
51
|
npx @safetnsr/vet receipt show last agent session receipt
|
|
50
52
|
npx @safetnsr/vet map [dir] show agent visibility map
|
|
53
|
+
npx @safetnsr/vet permissions [dir] audit Claude Code config for dangerous grants
|
|
51
54
|
|
|
52
55
|
${c.dim}categories:${c.reset}
|
|
53
56
|
security (30%) scan, secrets, config, model usage
|
|
@@ -82,7 +85,7 @@ if (flags.has('--version') || flags.has('-v')) {
|
|
|
82
85
|
}
|
|
83
86
|
process.exit(0);
|
|
84
87
|
}
|
|
85
|
-
const COMMANDS = ['init', 'receipt', 'map'];
|
|
88
|
+
const COMMANDS = ['init', 'receipt', 'map', 'permissions'];
|
|
86
89
|
const command = COMMANDS.includes(positional[0]) ? positional[0] : undefined;
|
|
87
90
|
const cwd = resolve(positional.find(p => !COMMANDS.includes(p)) || '.');
|
|
88
91
|
const isCI = flags.has('--ci');
|
|
@@ -122,6 +125,30 @@ if (command === 'map') {
|
|
|
122
125
|
}
|
|
123
126
|
process.exit(0);
|
|
124
127
|
}
|
|
128
|
+
if (command === 'permissions') {
|
|
129
|
+
const result = checkPermissions(cwd);
|
|
130
|
+
if (isJSON) {
|
|
131
|
+
console.log(JSON.stringify(result, null, 2));
|
|
132
|
+
}
|
|
133
|
+
else {
|
|
134
|
+
console.log(`\n ${c.bold}vet permissions${c.reset} — ${result.summary}\n`);
|
|
135
|
+
console.log(` score: ${result.score}/100\n`);
|
|
136
|
+
if (result.issues.length === 0) {
|
|
137
|
+
console.log(` ${c.green}no issues found${c.reset}\n`);
|
|
138
|
+
}
|
|
139
|
+
else {
|
|
140
|
+
for (const issue of result.issues) {
|
|
141
|
+
const icon = issue.severity === 'error' ? c.red + '✗' : issue.severity === 'warning' ? c.yellow + '⚠' : c.dim + 'i';
|
|
142
|
+
const loc = issue.file ? ` ${c.dim}(${issue.file}${issue.line ? `:${issue.line}` : ''})${c.reset}` : '';
|
|
143
|
+
console.log(` ${icon}${c.reset} ${issue.message}${loc}`);
|
|
144
|
+
if (issue.fixHint)
|
|
145
|
+
console.log(` ${c.dim}→ ${issue.fixHint}${c.reset}`);
|
|
146
|
+
}
|
|
147
|
+
console.log('');
|
|
148
|
+
}
|
|
149
|
+
}
|
|
150
|
+
process.exit(result.score < 60 ? 1 : 0);
|
|
151
|
+
}
|
|
125
152
|
if (!isGitRepo(cwd)) {
|
|
126
153
|
console.error(`${c.red}not a git repository${c.reset}. vet operates on git repos.`);
|
|
127
154
|
process.exit(1);
|
|
@@ -144,7 +171,7 @@ if (isFix) {
|
|
|
144
171
|
}
|
|
145
172
|
async function runChecks() {
|
|
146
173
|
// Run all checks, grouped into categories
|
|
147
|
-
// Security: scan, secrets, config, models, owasp
|
|
174
|
+
// Security: scan, secrets, config, models, owasp, permissions
|
|
148
175
|
const [scanResult, secretsResult, configResult, modelsResult, owaspResult] = await Promise.all([
|
|
149
176
|
Promise.resolve(checkScan(cwd)),
|
|
150
177
|
checkSecrets(cwd),
|
|
@@ -152,6 +179,7 @@ async function runChecks() {
|
|
|
152
179
|
checkModels(cwd, ignore),
|
|
153
180
|
Promise.resolve(checkOwasp(cwd)),
|
|
154
181
|
]);
|
|
182
|
+
const permissionsResult = checkPermissions(cwd);
|
|
155
183
|
// Integrity: diff, integrity checks
|
|
156
184
|
const diffResult = checkDiff(cwd, { since });
|
|
157
185
|
const integrityResult = await checkIntegrity(cwd, ignore);
|
|
@@ -169,9 +197,11 @@ async function runChecks() {
|
|
|
169
197
|
const memoryResult = checkMemory(cwd);
|
|
170
198
|
// Verify: agent claim validation
|
|
171
199
|
const verifyResult = checkVerify(cwd, since);
|
|
200
|
+
// Tests: test theater detection
|
|
201
|
+
const testsResult = checkTests(cwd, ignore);
|
|
172
202
|
return score(cwd, {
|
|
173
|
-
security: [scanResult, secretsResult, configResult, modelsResult, owaspResult],
|
|
174
|
-
integrity: [diffResult, integrityResult, receiptResult, memoryResult, verifyResult],
|
|
203
|
+
security: [scanResult, secretsResult, configResult, modelsResult, owaspResult, permissionsResult],
|
|
204
|
+
integrity: [diffResult, integrityResult, receiptResult, memoryResult, verifyResult, testsResult],
|
|
175
205
|
debt: [readyResult, historyResult, debtResult],
|
|
176
206
|
deps: [depsResult],
|
|
177
207
|
});
|