npm - @shakecodeslikecray/whiterose - Versions diffs - 1.0.2 → 1.0.4 - Mend

@shakecodeslikecray/whiterose 1.0.2 → 1.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/cli/index.js CHANGED Viewed

@@ -4327,9 +4327,23 @@ function loadAccumulatedBugs(cwd) {
     if (!Array.isArray(stored.bugs)) {
       stored.bugs = [];
     }
+    if (!stored.fingerprints || typeof stored.fingerprints !== "object") {
+      stored.fingerprints = {};
+    }
     stored.bugs = stored.bugs.map((b) => ({ ...b, kind: b.kind || "bug" }));
     return stored;
-  } catch {
+  } catch (error) {
+    const backupPath = `${bugsPath}.corrupted.${Date.now()}`;
+    try {
+      const corruptedContent = readFileSync(bugsPath, "utf-8");
+      writeFileSync(backupPath, corruptedContent);
+      console.warn(`Warning: ${BUGS_FILENAME} is corrupted and could not be parsed.`);
+      console.warn(`Corrupted file backed up to: ${backupPath}`);
+      console.warn("Bug history has been reset. Previous bugs will appear as new.");
+    } catch {
+      console.warn(`Warning: ${BUGS_FILENAME} is corrupted and could not be parsed.`);
+      console.warn("Bug history has been reset. Previous bugs will appear as new.");
+    }
     return {
       version: STORAGE_VERSION,
       lastUpdated: (/* @__PURE__ */ new Date()).toISOString(),
@@ -5864,7 +5878,9 @@ var FixConfirm = ({ bug, dryRun, onConfirm, onCancel, onFixComplete }) => {
       setStatus("fixing");
       setProgressMessage("Starting agentic fix...");
       try {
-        const result = await onConfirm();
+        const result = await onConfirm((message) => {
+          setProgressMessage(message);
+        });
         if (result.falsePositive) {
           setFalsePositiveReason(result.falsePositiveReason || "The AI determined this bug is not real after analyzing the code.");
           setStatus("false-positive");
@@ -6008,11 +6024,11 @@ var App = ({ bugs, config, fixOptions, onFix, onExit }) => {
   };
   const [fixError, setFixError] = useState(null);
   const [lastFixedBugId, setLastFixedBugId] = useState(null);
-  const handleConfirmFix = async () => {
+  const handleConfirmFix = async (onProgress) => {
     if (selectedBug) {
       setFixError(null);
       setLastFixedBugId(selectedBug.id);
-      const result = await onFix(selectedBug);
+      const result = await onFix(selectedBug, onProgress);
       return result;
     }
     return { falsePositive: false };
@@ -6217,6 +6233,67 @@ function markBugAsFixed(bug, commitHash, cwd = process.cwd()) {
 }
 // src/core/fixer.ts
+var MAX_SARIF_TEXT_LENGTH = 2e3;
+var PROMPT_INJECTION_PATTERNS = [
+  // Attempts to override or ignore instructions
+  /ignore\s+(previous|all|above)\s+instructions?/i,
+  /disregard\s+(previous|all|above)\s+instructions?/i,
+  /forget\s+(previous|all|above)\s+instructions?/i,
+  // Attempts to define new roles or personas
+  /you\s+are\s+(now|actually)\s+/i,
+  /act\s+as\s+(a|an)\s+/i,
+  /pretend\s+(you|to\s+be)\s+/i,
+  // Attempts to inject system-level commands
+  /\[SYSTEM\]/i,
+  /\[INST\]/i,
+  /<\|system\|>/i,
+  /<\|assistant\|>/i,
+  /<\|user\|>/i,
+  // Attempts to break out with special markers
+  /###\s*(INSTRUCTION|SYSTEM|END|NEW)/i,
+  /```\s*(system|instruction)/i,
+  // Direct file operation injections
+  /delete\s+(all|the)\s+files?/i,
+  /rm\s+-rf\s+/i,
+  /remove\s+(all|every)\s+file/i,
+  // Exfiltration attempts
+  /send\s+(this|the|all)\s+(data|content|file)/i,
+  /upload\s+(to|this)/i,
+  /curl\s+.*\s+-d/i,
+  /fetch\s*\(\s*['"][^'"]*['"]\s*,\s*\{[^}]*method\s*:\s*['"]POST['"]/i
+];
+function sanitizeSarifText(text2, fieldName = "field") {
+  if (!text2 || typeof text2 !== "string") {
+    return "";
+  }
+  let sanitized = text2.length > MAX_SARIF_TEXT_LENGTH ? text2.substring(0, MAX_SARIF_TEXT_LENGTH) + `... [truncated ${fieldName}]` : text2;
+  for (const pattern of PROMPT_INJECTION_PATTERNS) {
+    if (pattern.test(sanitized)) {
+      sanitized = sanitized.replace(pattern, "[REDACTED: potential injection]");
+    }
+  }
+  sanitized = sanitized.replace(/```+/g, "`\u200B`\u200B`");
+  sanitized = sanitized.replace(/###/g, "#\u200B#\u200B#");
+  return sanitized;
+}
+function sanitizeSarifEvidence(evidence) {
+  if (!Array.isArray(evidence)) {
+    return [];
+  }
+  return evidence.filter((e) => typeof e === "string").slice(0, 10).map((e) => sanitizeSarifText(e, "evidence"));
+}
+function sanitizeSarifCodePath(codePath) {
+  if (!Array.isArray(codePath)) {
+    return [];
+  }
+  return codePath.slice(0, 20).map((entry, idx) => ({
+    step: typeof entry?.step === "number" ? entry.step : idx + 1,
+    file: sanitizeSarifText(String(entry?.file || ""), "codePath.file").substring(0, 500),
+    line: typeof entry?.line === "number" ? entry.line : 0,
+    code: sanitizeSarifText(String(entry?.code || ""), "codePath.code"),
+    explanation: sanitizeSarifText(String(entry?.explanation || ""), "codePath.explanation")
+  }));
+}
 function isPathWithinProject(filePath, projectDir) {
   const resolvedPath = resolve(projectDir, filePath);
   const relativePath = relative(projectDir, resolvedPath);
@@ -6280,7 +6357,7 @@ In: ${bug.file}:${bug.line}`
   }
   let agenticResult;
   try {
-    agenticResult = await runAgenticFix(bug, config, projectDir);
+    agenticResult = await runAgenticFix(bug, config, projectDir, options.onProgress);
   } catch (error) {
     return {
       success: false,
@@ -6320,76 +6397,153 @@ In: ${bug.file}:${bug.line}`
     commitHash
   };
 }
-async function runAgenticFix(bug, config, projectDir) {
+async function runAgenticFix(bug, config, projectDir, onProgress) {
   const providerCommand = getProviderCommand(config.provider);
   const prompt = buildAgenticFixPrompt(bug);
-  const args = [];
-  if (config.provider === "claude-code") {
-    args.push("-p", prompt, "--dangerously-skip-permissions");
-  } else if (config.provider === "gemini") {
-    args.push("-p", prompt);
-  } else if (config.provider === "aider") {
-    args.push("--message", prompt, bug.file);
-  } else if (config.provider === "codex") ; else {
-    args.push("-p", prompt);
-  }
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), 3e5);
   let stdout = "";
   let stderr = "";
-  if (config.provider === "codex") {
-    const tempDir = mkdtempSync(join(tmpdir(), "whiterose-fix-"));
-    const outputFile = join(tempDir, "output.txt");
-    try {
-      const result = await execa(
+  try {
+    if (config.provider === "codex") {
+      const tempDir = mkdtempSync(join(tmpdir(), "whiterose-fix-"));
+      const outputFile = join(tempDir, "output.txt");
+      try {
+        const result = await execa(
+          providerCommand,
+          [
+            "exec",
+            "--full-auto",
+            // Allow workspace writes without approval prompts
+            "--skip-git-repo-check",
+            "-C",
+            projectDir,
+            // Set working directory for codex
+            "-o",
+            outputFile,
+            "-"
+            // Read prompt from stdin
+          ],
+          {
+            cwd: projectDir,
+            input: prompt,
+            // Pass prompt via stdin
+            timeout: 3e5,
+            env: { ...process.env, NO_COLOR: "1" },
+            reject: false,
+            cancelSignal: controller.signal
+          }
+        );
+        stderr = result.stderr || "";
+        if (existsSync(outputFile)) {
+          try {
+            stdout = readFileSync(outputFile, "utf-8");
+          } catch {
+            stdout = result.stdout || "";
+          }
+        } else {
+          stdout = result.stdout || "";
+        }
+      } finally {
+        try {
+          rmSync(tempDir, { recursive: true, force: true });
+        } catch {
+        }
+      }
+    } else if (config.provider === "claude-code") {
+      const args = ["--dangerously-skip-permissions", "-p"];
+      if (onProgress) {
+        args.push("--verbose", "--output-format", "stream-json");
+      }
+      const subprocess = execa(
         providerCommand,
-        [
-          "exec",
-          "--full-auto",
-          // Allow workspace writes without approval prompts
-          "--skip-git-repo-check",
-          "-C",
-          projectDir,
-          // Set working directory for codex
-          "-o",
-          outputFile,
-          "-"
-          // Read prompt from stdin
-        ],
+        args,
         {
           cwd: projectDir,
           input: prompt,
-          // Pass prompt via stdin
+          // Pass prompt via stdin (Claude reads from stdin when no prompt arg provided)
           timeout: 3e5,
           env: { ...process.env, NO_COLOR: "1" },
-          reject: false
+          reject: false,
+          cancelSignal: controller.signal
         }
       );
-      stderr = result.stderr || "";
-      if (existsSync(outputFile)) {
-        try {
-          stdout = readFileSync(outputFile, "utf-8");
-        } catch {
-          stdout = result.stdout || "";
-        }
-      } else {
-        stdout = result.stdout || "";
-      }
-    } finally {
-      try {
-        rmSync(tempDir, { recursive: true, force: true });
-      } catch {
+      if (onProgress && subprocess.stdout) {
+        let lineBuffer = "";
+        subprocess.stdout.on("data", (chunk) => {
+          const text2 = chunk.toString();
+          lineBuffer += text2;
+          const lines = lineBuffer.split("\n");
+          lineBuffer = lines.pop() || "";
+          for (const line of lines) {
+            const trimmed = line.trim();
+            if (trimmed) {
+              try {
+                const event = JSON.parse(trimmed);
+                if (event.type === "assistant" && event.message?.content) {
+                  for (const block of event.message.content) {
+                    if (block.type === "tool_use") {
+                      const toolName = block.name || "tool";
+                      onProgress(`Using ${toolName}...`);
+                    } else if (block.type === "text" && block.text) {
+                      const preview = block.text.substring(0, 80).replace(/\n/g, " ").trim();
+                      if (preview) {
+                        onProgress(preview + (block.text.length > 80 ? "..." : ""));
+                      }
+                    }
+                  }
+                }
+              } catch {
+                if (trimmed.length > 3 && trimmed.length < 100) {
+                  onProgress(trimmed);
+                }
+              }
+            }
+          }
+        });
       }
+      const result = await subprocess;
+      stdout = result.stdout || "";
+      stderr = result.stderr || "";
+    } else if (config.provider === "gemini") {
+      const result = await execa(providerCommand, ["-p", prompt], {
+        cwd: projectDir,
+        timeout: 3e5,
+        env: { ...process.env, NO_COLOR: "1" },
+        reject: false,
+        stdin: "ignore",
+        // Prevent stdin hangs
+        cancelSignal: controller.signal
+      });
+      stdout = result.stdout || "";
+      stderr = result.stderr || "";
+    } else if (config.provider === "aider") {
+      const result = await execa(providerCommand, ["--message", prompt, bug.file], {
+        cwd: projectDir,
+        timeout: 3e5,
+        env: { ...process.env, NO_COLOR: "1" },
+        reject: false,
+        stdin: "ignore",
+        // Prevent stdin hangs
+        cancelSignal: controller.signal
+      });
+      stdout = result.stdout || "";
+      stderr = result.stderr || "";
+    } else {
+      const result = await execa(providerCommand, ["-p", prompt], {
+        cwd: projectDir,
+        timeout: 3e5,
+        env: { ...process.env, NO_COLOR: "1" },
+        reject: false,
+        stdin: "ignore",
+        // Prevent stdin hangs
+        cancelSignal: controller.signal
+      });
+      stdout = result.stdout || "";
+      stderr = result.stderr || "";
     }
-  } else {
-    const result = await execa(providerCommand, args, {
-      cwd: projectDir,
-      timeout: 3e5,
-      // 5 minute timeout for agentic operations
-      env: { ...process.env, NO_COLOR: "1" },
-      reject: false
-      // Don't throw on non-zero exit
-    });
-    stdout = result.stdout || "";
-    stderr = result.stderr || "";
+  } finally {
+    clearTimeout(timeoutId);
   }
   if (stderr) {
     const lowerStderr = stderr.toLowerCase();
@@ -6518,8 +6672,8 @@ function generateSimpleDiff(original, modified, filename) {
 }
 async function startFixTUI(bugs, config, options, cwd) {
   return new Promise((resolve6) => {
-    const handleFix = async (bug) => {
-      const result = await applyFix(bug, config, options);
+    const handleFix = async (bug, onProgress) => {
+      const result = await applyFix(bug, config, { ...options, onProgress });
       if (result.falsePositive) {
         if (cwd) {
           removeBugFromAccumulated(cwd, bug.id);
@@ -6678,39 +6832,67 @@ function loadBugsFromSarif(sarifPath) {
   } catch (error) {
     throw new Error(`Failed to parse SARIF file: ${sarifPath}. File may be corrupted or malformed.`);
   }
-  return sarif.runs?.[0]?.results?.map((r, i) => {
+  if (!sarif || typeof sarif !== "object") {
+    throw new Error(`Invalid SARIF file: ${sarifPath}. Expected a JSON object.`);
+  }
+  const runs = sarif.runs;
+  if (!Array.isArray(runs) || runs.length === 0) {
+    return [];
+  }
+  const results = runs[0]?.results;
+  if (!Array.isArray(results)) {
+    return [];
+  }
+  return results.map((r, i) => {
+    if (!r || typeof r !== "object") {
+      throw new Error(`Invalid SARIF result at index ${i}: expected an object.`);
+    }
     const props = r.properties || {};
+    const rawTitle = r.message?.text || "Unknown bug";
+    const rawDescription = r.message?.markdown || r.message?.text || "";
+    const rawCodePath = r.codeFlows?.[0]?.threadFlows?.[0]?.locations?.map((loc, idx) => ({
+      step: idx + 1,
+      file: loc.location?.physicalLocation?.artifactLocation?.uri || "",
+      line: loc.location?.physicalLocation?.region?.startLine || 0,
+      code: "",
+      explanation: loc.message?.text || ""
+    })) || [];
+    const rawFile = r.locations?.[0]?.physicalLocation?.artifactLocation?.uri;
+    const file = typeof rawFile === "string" ? rawFile : "unknown";
+    const rawLine = r.locations?.[0]?.physicalLocation?.region?.startLine;
+    const line = typeof rawLine === "number" && Number.isFinite(rawLine) ? Math.floor(rawLine) : 0;
+    const rawEndLine = r.locations?.[0]?.physicalLocation?.region?.endLine;
+    const endLine = typeof rawEndLine === "number" && Number.isFinite(rawEndLine) ? Math.floor(rawEndLine) : void 0;
+    const rawId = r.ruleId;
+    const id = typeof rawId === "string" ? rawId : `WR-${String(i + 1).padStart(3, "0")}`;
+    const validatedKind = FindingKind.safeParse(props.kind);
+    const validatedCategory = BugCategory.safeParse(props.category);
+    const validatedConfidence = ConfidenceLevel.safeParse(props.confidence);
     return {
-      id: r.ruleId || `WR-${String(i + 1).padStart(3, "0")}`,
-      title: r.message?.text || "Unknown bug",
-      description: r.message?.markdown || r.message?.text || "",
-      file: r.locations?.[0]?.physicalLocation?.artifactLocation?.uri || "unknown",
-      line: r.locations?.[0]?.physicalLocation?.region?.startLine || 0,
-      endLine: r.locations?.[0]?.physicalLocation?.region?.endLine,
-      kind: props.kind || "bug",
+      id,
+      title: sanitizeSarifText(String(rawTitle), "title"),
+      description: sanitizeSarifText(String(rawDescription), "description"),
+      file,
+      line,
+      endLine,
+      kind: validatedKind.success ? validatedKind.data : "bug",
       severity: mapSarifLevel(r.level),
-      category: props.category || "logic-error",
+      category: validatedCategory.success ? validatedCategory.data : "logic-error",
       confidence: {
-        overall: props.confidence || "medium",
-        codePathValidity: props.codePathValidity || 0.8,
-        reachability: props.reachability || 0.8,
-        intentViolation: props.intentViolation || false,
-        staticToolSignal: props.staticToolSignal || false,
-        adversarialSurvived: props.adversarialSurvived || false
+        overall: validatedConfidence.success ? validatedConfidence.data : "medium",
+        codePathValidity: typeof props.codePathValidity === "number" ? props.codePathValidity : 0.8,
+        reachability: typeof props.reachability === "number" ? props.reachability : 0.8,
+        intentViolation: typeof props.intentViolation === "boolean" ? props.intentViolation : false,
+        staticToolSignal: typeof props.staticToolSignal === "boolean" ? props.staticToolSignal : false,
+        adversarialSurvived: typeof props.adversarialSurvived === "boolean" ? props.adversarialSurvived : false
       },
-      codePath: r.codeFlows?.[0]?.threadFlows?.[0]?.locations?.map((loc, idx) => ({
-        step: idx + 1,
-        file: loc.location?.physicalLocation?.artifactLocation?.uri || "",
-        line: loc.location?.physicalLocation?.region?.startLine || 0,
-        code: "",
-        explanation: loc.message?.text || ""
-      })) || [],
-      evidence: props.evidence || [],
-      suggestedFix: props.suggestedFix,
+      codePath: sanitizeSarifCodePath(rawCodePath),
+      evidence: sanitizeSarifEvidence(props.evidence),
+      suggestedFix: props.suggestedFix ? sanitizeSarifText(String(props.suggestedFix), "suggestedFix") : void 0,
       createdAt: (/* @__PURE__ */ new Date()).toISOString(),
       status: "open"
     };
-  }) || [];
+  });
 }
 async function loadBugFromGitHub(issueUrl, cwd) {
   try {
@@ -6950,12 +7132,24 @@ async function fixSingleBug(bug, config, options, cwd) {
       process.exit(0);
     }
   }
-  const spinner6 = p3.spinner();
-  spinner6.start(options.dryRun ? "Generating fix preview..." : "Applying fix...");
+  console.log();
+  console.log(chalk3.cyan("  \u25C6 Starting agentic fix..."));
+  console.log();
   try {
-    const result = await applyFix(bug, config, options);
+    let lastMessage = "";
+    const result = await applyFix(bug, config, {
+      ...options,
+      onProgress: (message) => {
+        if (message !== lastMessage) {
+          lastMessage = message;
+          const truncated = message.length > 72 ? message.substring(0, 72) + "..." : message;
+          process.stdout.write(`\r\x1B[K  ${chalk3.dim("\u203A")} ${chalk3.gray(truncated)}`);
+        }
+      }
+    });
+    process.stdout.write("\r\x1B[K");
     if (result.success) {
-      spinner6.stop(options.dryRun ? "Fix preview generated" : "Fix applied");
+      console.log(chalk3.green("  \u2713 Fix applied successfully"));
       if (result.diff) {
         console.log();
         console.log(chalk3.dim("  Changes:"));
@@ -6981,12 +7175,12 @@ async function fixSingleBug(bug, config, options, cwd) {
       }
       p3.outro(chalk3.green("Fix complete!"));
     } else {
-      spinner6.stop("Fix failed");
+      console.log(chalk3.red("  \u2717 Fix failed"));
       p3.log.error(result.error || "Unknown error");
       process.exit(1);
     }
   } catch (error) {
-    spinner6.stop("Fix failed");
+    console.log(chalk3.red("  \u2717 Fix failed"));
     p3.log.error(error.message);
     process.exit(1);
   }