@sudobility/testomniac_runner 0.0.128

package/src/plugins/content/checks.ts

@@ -0,0 +1,141 @@
+import type { PluginIssue } from "../types";
+
+const PLACEHOLDER_PATTERNS = [
+  /lorem ipsum/i,
+  /\bTODO\b/,
+  /\bFIXME\b/,
+  /\bcoming soon\b/i,
+  /\bunder construction\b/i,
+  /\bplaceholder\b/i,
+  /\bTBD\b/,
+  /\bXXX\b/,
+];
+
+export function checkPlaceholderContent(
+  text: string,
+  pageUrl: string
+): PluginIssue[] {
+  const issues: PluginIssue[] = [];
+
+  for (const pattern of PLACEHOLDER_PATTERNS) {
+    const match = text.match(pattern);
+    if (match) {
+      issues.push({
+        type: "content-placeholder",
+        severity: "warning",
+        description: `Placeholder content found: "${match[0]}"`,
+        pageUrl,
+        details: { match: match[0] },
+      });
+    }
+  }
+
+  return issues;
+}
+
+/**
+ * Flesch-Kincaid readability approximation.
+ * Only runs on text with 30+ words.
+ */
+export function checkReadability(
+  text: string,
+  pageUrl: string
+): PluginIssue | null {
+  const words = text.split(/\s+/).filter(w => w.length > 0);
+  if (words.length < 30) {
+    return null;
+  }
+
+  const sentences = text.split(/[.!?]+/).filter(s => s.trim().length > 0);
+  const sentenceCount = Math.max(sentences.length, 1);
+
+  // Count syllables (simple approximation)
+  const syllableCount = words.reduce((total, word) => {
+    return total + countSyllables(word);
+  }, 0);
+
+  const wordCount = words.length;
+
+  // Flesch-Kincaid Grade Level
+  const gradeLevel =
+    0.39 * (wordCount / sentenceCount) +
+    11.8 * (syllableCount / wordCount) -
+    15.59;
+
+  // Flag if reading level is very high (college level or above)
+  if (gradeLevel > 16) {
+    return {
+      type: "content-readability",
+      severity: "info",
+      description: `Content has a high reading level (Flesch-Kincaid grade: ${gradeLevel.toFixed(1)})`,
+      pageUrl,
+      details: { gradeLevel: Math.round(gradeLevel * 10) / 10, wordCount },
+    };
+  }
+
+  return null;
+}
+
+function countSyllables(word: string): number {
+  const cleaned = word.toLowerCase().replace(/[^a-z]/g, "");
+  if (cleaned.length <= 2) return 1;
+
+  let count = 0;
+  const vowels = "aeiouy";
+  let prevIsVowel = false;
+
+  for (const char of cleaned) {
+    const isVowel = vowels.includes(char);
+    if (isVowel && !prevIsVowel) {
+      count++;
+    }
+    prevIsVowel = isVowel;
+  }
+
+  // Silent e
+  if (cleaned.endsWith("e") && count > 1) {
+    count--;
+  }
+
+  return Math.max(count, 1);
+}
+
+export function checkCopyrightYear(
+  text: string,
+  pageUrl: string
+): PluginIssue | null {
+  const currentYear = new Date().getFullYear();
+  const copyrightMatch = text.match(/(?:©|\bcopyright\b)\s*(\d{4})/i);
+
+  if (copyrightMatch) {
+    const year = parseInt(copyrightMatch[1], 10);
+    if (year < currentYear) {
+      return {
+        type: "content-outdated-copyright",
+        severity: "info",
+        description: `Copyright year (${year}) is outdated (current: ${currentYear})`,
+        pageUrl,
+        details: { year, currentYear },
+      };
+    }
+  }
+
+  return null;
+}
+
+export function checkEmptyPage(
+  text: string,
+  pageUrl: string
+): PluginIssue | null {
+  const stripped = text.trim();
+  if (stripped.length < 50) {
+    return {
+      type: "content-empty-page",
+      severity: "warning",
+      description: `Page has very little content (${stripped.length} characters)`,
+      pageUrl,
+      details: { length: stripped.length },
+    };
+  }
+  return null;
+}

package/src/plugins/content/index.ts

@@ -0,0 +1,73 @@
+import type { Plugin, PluginContext, PluginIssue } from "../types";
+import { registerPlugin } from "../registry";
+import {
+  checkPlaceholderContent,
+  checkReadability,
+  checkCopyrightYear,
+  checkEmptyPage,
+} from "./checks";
+import {
+  checkSpellingAndGrammar,
+  checkTerminologyConsistency,
+} from "./ai-checks";
+
+export const contentPlugin: Plugin = {
+  name: "content",
+  description:
+    "Checks pages for content quality issues including placeholders, readability, and AI-powered spelling/grammar checks",
+
+  async analyze(context: PluginContext): Promise<{
+    issues: PluginIssue[];
+    metadata?: Record<string, unknown>;
+  }> {
+    const issues: PluginIssue[] = [];
+
+    for (const pageState of context.pageStates) {
+      const { text, url } = pageState;
+
+      const placeholderIssues = checkPlaceholderContent(text, url);
+      issues.push(...placeholderIssues);
+
+      const readabilityIssue = checkReadability(text, url);
+      if (readabilityIssue) issues.push(readabilityIssue);
+
+      const copyrightIssue = checkCopyrightYear(text, url);
+      if (copyrightIssue) issues.push(copyrightIssue);
+
+      const emptyIssue = checkEmptyPage(text, url);
+      if (emptyIssue) issues.push(emptyIssue);
+    }
+
+    // AI-powered checks (only if OpenAI client is available)
+    if (context.openai) {
+      for (const pageState of context.pageStates) {
+        const spellingIssues = await checkSpellingAndGrammar(
+          context.openai,
+          pageState.text,
+          pageState.url
+        );
+        issues.push(...spellingIssues);
+      }
+
+      const pageTexts = context.pageStates.map(ps => ({
+        url: ps.url,
+        text: ps.text,
+      }));
+      const terminologyIssues = await checkTerminologyConsistency(
+        context.openai,
+        pageTexts
+      );
+      issues.push(...terminologyIssues);
+    }
+
+    return {
+      issues,
+      metadata: {
+        pagesAnalyzed: context.pageStates.length,
+        aiChecksRun: !!context.openai,
+      },
+    };
+  },
+};
+
+registerPlugin(contentPlugin);

package/src/plugins/registry.test.ts

@@ -0,0 +1,49 @@
+import { describe, it, expect, beforeEach } from "vitest";
+import {
+  registerPlugin,
+  getPlugin,
+  getEnabledPlugins,
+  getAllPluginNames,
+} from "./registry";
+import type { Plugin, PluginContext, PluginResult } from "./types";
+
+function makePlugin(name: string): Plugin {
+  return {
+    name,
+    description: `${name} plugin`,
+    analyze: async (_context: PluginContext): Promise<PluginResult> => ({
+      issues: [],
+    }),
+  };
+}
+
+describe("plugin registry", () => {
+  beforeEach(() => {
+    // Re-import to reset state — registry uses module-level Map,
+    // so we register fresh plugins each test and rely on unique names.
+  });
+
+  it("registers and retrieves a plugin", () => {
+    const plugin = makePlugin("test-register");
+    registerPlugin(plugin);
+
+    expect(getPlugin("test-register")).toBe(plugin);
+    expect(getAllPluginNames()).toContain("test-register");
+  });
+
+  it("returns undefined for unknown plugin", () => {
+    expect(getPlugin("nonexistent-plugin")).toBeUndefined();
+  });
+
+  it("filters enabled plugins", () => {
+    const enabled = makePlugin("test-enabled");
+    const disabled = makePlugin("test-disabled");
+
+    registerPlugin(enabled, true);
+    registerPlugin(disabled, false);
+
+    const enabledPlugins = getEnabledPlugins();
+    expect(enabledPlugins).toContain(enabled);
+    expect(enabledPlugins).not.toContain(disabled);
+  });
+});

package/src/plugins/registry.ts

@@ -0,0 +1,21 @@
+import type { Plugin } from "./types";
+
+const plugins = new Map<string, { plugin: Plugin; enabled: boolean }>();
+
+export function registerPlugin(plugin: Plugin, enabled = true): void {
+  plugins.set(plugin.name, { plugin, enabled });
+}
+
+export function getPlugin(name: string): Plugin | undefined {
+  return plugins.get(name)?.plugin;
+}
+
+export function getEnabledPlugins(): Plugin[] {
+  return Array.from(plugins.values())
+    .filter(entry => entry.enabled)
+    .map(entry => entry.plugin);
+}
+
+export function getAllPluginNames(): string[] {
+  return Array.from(plugins.keys());
+}

package/src/plugins/security/header-checks.ts

@@ -0,0 +1,56 @@
+import type { PluginIssue } from "../types";
+
+const REQUIRED_HEADERS: {
+  name: string;
+  type: string;
+  description: string;
+}[] = [
+  {
+    name: "content-security-policy",
+    type: "security-missing-csp",
+    description: "Missing Content-Security-Policy header",
+  },
+  {
+    name: "strict-transport-security",
+    type: "security-missing-hsts",
+    description: "Missing Strict-Transport-Security (HSTS) header",
+  },
+  {
+    name: "x-frame-options",
+    type: "security-missing-x-frame-options",
+    description: "Missing X-Frame-Options header",
+  },
+  {
+    name: "x-content-type-options",
+    type: "security-missing-x-content-type-options",
+    description: "Missing X-Content-Type-Options header",
+  },
+  {
+    name: "referrer-policy",
+    type: "security-missing-referrer-policy",
+    description: "Missing Referrer-Policy header",
+  },
+];
+
+export function checkSecurityHeaders(
+  headers: Record<string, string>,
+  pageUrl: string
+): PluginIssue[] {
+  const issues: PluginIssue[] = [];
+  const lowerHeaders = Object.fromEntries(
+    Object.entries(headers).map(([k, v]) => [k.toLowerCase(), v])
+  );
+
+  for (const required of REQUIRED_HEADERS) {
+    if (!lowerHeaders[required.name]) {
+      issues.push({
+        type: required.type,
+        severity: "warning",
+        description: required.description,
+        pageUrl,
+      });
+    }
+  }
+
+  return issues;
+}

package/src/plugins/security/html-checks.ts

@@ -0,0 +1,93 @@
+import type { PluginIssue } from "../types";
+
+export function checkMixedContent(
+  html: string,
+  pageUrl: string
+): PluginIssue[] {
+  const issues: PluginIssue[] = [];
+
+  if (!pageUrl.startsWith("https://")) {
+    return issues;
+  }
+
+  // Check for http:// references in src and href attributes
+  const httpRefs = html.match(
+    /(?:src|href|action)\s*=\s*["']http:\/\/[^"']+["']/gi
+  );
+  if (httpRefs) {
+    for (const ref of httpRefs) {
+      issues.push({
+        type: "security-mixed-content",
+        severity: "warning",
+        description: "Mixed content: HTTP resource loaded on HTTPS page",
+        pageUrl,
+        details: { reference: ref },
+      });
+    }
+  }
+
+  return issues;
+}
+
+export function checkCsrfTokens(html: string, pageUrl: string): PluginIssue[] {
+  const issues: PluginIssue[] = [];
+  const formRegex = /<form\s[^>]*method=["']post["'][^>]*>[\s\S]*?<\/form>/gi;
+  const allForms = html.matchAll(formRegex);
+
+  for (const formMatch of allForms) {
+    const formHtml = formMatch[0];
+    const hasCsrf =
+      /name=["']_?csrf/i.test(formHtml) ||
+      /name=["']authenticity_token["']/i.test(formHtml) ||
+      /name=["']_token["']/i.test(formHtml) ||
+      /name=["']__RequestVerificationToken["']/i.test(formHtml);
+
+    if (!hasCsrf) {
+      issues.push({
+        type: "security-missing-csrf-token",
+        severity: "warning",
+        description: "POST form is missing a CSRF token",
+        pageUrl,
+        details: { form: formHtml.substring(0, 200) },
+      });
+    }
+  }
+
+  return issues;
+}
+
+export function checkExposedSecrets(
+  html: string,
+  pageUrl: string
+): PluginIssue[] {
+  const issues: PluginIssue[] = [];
+
+  // Check for AWS access key IDs (AKIA prefix pattern)
+  const awsKeyPattern = /AKIA[0-9A-Z]{16}/g;
+  if (awsKeyPattern.test(html)) {
+    issues.push({
+      type: "security-exposed-aws-key",
+      severity: "error",
+      description: "Possible AWS access key ID found in page HTML",
+      pageUrl,
+    });
+  }
+
+  // Check for hardcoded password patterns
+  const passwordPatterns = [
+    /password\s*[:=]\s*["'][^"']{4,}["']/gi,
+    /passwd\s*[:=]\s*["'][^"']{4,}["']/gi,
+  ];
+  for (const pattern of passwordPatterns) {
+    if (pattern.test(html)) {
+      issues.push({
+        type: "security-hardcoded-password",
+        severity: "error",
+        description: "Possible hardcoded password found in page HTML",
+        pageUrl,
+      });
+    }
+  }
+
+  return issues;
+}

package/src/plugins/security/index.ts

@@ -0,0 +1,58 @@
+import type { Plugin, PluginContext, PluginIssue } from "../types";
+import { registerPlugin } from "../registry";
+import { checkApiKeysInUrls } from "./network-checks";
+import { checkSecurityHeaders } from "./header-checks";
+import {
+  checkMixedContent,
+  checkCsrfTokens,
+  checkExposedSecrets,
+} from "./html-checks";
+
+export const securityPlugin: Plugin = {
+  name: "security",
+  description:
+    "Checks for security issues including exposed keys, missing headers, mixed content, and CSRF vulnerabilities",
+
+  async analyze(context: PluginContext): Promise<{
+    issues: PluginIssue[];
+    metadata?: Record<string, unknown>;
+  }> {
+    const issues: PluginIssue[] = [];
+
+    // Network-level checks
+    const urlKeyIssues = checkApiKeysInUrls(
+      context.networkLogs,
+      context.baseUrl
+    );
+    issues.push(...urlKeyIssues);
+
+    // Page-level checks
+    for (const pageState of context.pageStates) {
+      const { html, url, headers } = pageState;
+
+      // Security headers
+      const headerIssues = checkSecurityHeaders(headers, url);
+      issues.push(...headerIssues);
+
+      // HTML-based checks
+      const mixedContentIssues = checkMixedContent(html, url);
+      issues.push(...mixedContentIssues);
+
+      const csrfIssues = checkCsrfTokens(html, url);
+      issues.push(...csrfIssues);
+
+      const secretIssues = checkExposedSecrets(html, url);
+      issues.push(...secretIssues);
+    }
+
+    return {
+      issues,
+      metadata: {
+        pagesAnalyzed: context.pageStates.length,
+        networkEntriesChecked: context.networkLogs.length,
+      },
+    };
+  },
+};
+
+registerPlugin(securityPlugin);

package/src/plugins/security/network-checks.test.ts

@@ -0,0 +1,74 @@
+import { describe, it, expect } from "vitest";
+import {
+  checkApiKeysInUrls,
+  checkSensitiveResponseData,
+} from "./network-checks";
+import type { NetworkLogEntry } from "@sudobility/testomniac_types";
+
+const BASE_URL = "https://example.com";
+
+describe("security network checks", () => {
+  it("flags API key in URL params (api_key)", () => {
+    const entries: NetworkLogEntry[] = [
+      {
+        method: "GET",
+        url: "https://api.example.com/data?api_key=abc123",
+        status: 200,
+        contentType: "application/json",
+      },
+    ];
+    const issues = checkApiKeysInUrls(entries, BASE_URL);
+    expect(issues).toHaveLength(1);
+    expect(issues[0].type).toBe("security-api-key-in-url");
+    expect(issues[0].details?.param).toBe("api_key");
+  });
+
+  it("flags apikey param in URL", () => {
+    const entries: NetworkLogEntry[] = [
+      {
+        method: "GET",
+        url: "https://api.example.com/data?apikey=xyz789",
+        status: 200,
+        contentType: "application/json",
+      },
+    ];
+    const issues = checkApiKeysInUrls(entries, BASE_URL);
+    expect(issues).toHaveLength(1);
+    expect(issues[0].details?.param).toBe("apikey");
+  });
+
+  it("does not flag normal URL params", () => {
+    const entries: NetworkLogEntry[] = [
+      {
+        method: "GET",
+        url: "https://api.example.com/data?page=1&sort=name",
+        status: 200,
+        contentType: "application/json",
+      },
+    ];
+    const issues = checkApiKeysInUrls(entries, BASE_URL);
+    expect(issues).toHaveLength(0);
+  });
+
+  it("flags sensitive key prefix in response data", () => {
+    const body = '{"credentials": "AKIA1234567890ABCDEF"}';
+    const issues = checkSensitiveResponseData(
+      body,
+      "https://api.example.com/config",
+      "example.com"
+    );
+    expect(issues).toHaveLength(1);
+    expect(issues[0].type).toBe("security-sensitive-key-in-response");
+    expect(issues[0].details?.prefix).toBe("AKIA");
+  });
+
+  it("does not flag normal response data", () => {
+    const body = '{"status": "ok", "count": 42}';
+    const issues = checkSensitiveResponseData(
+      body,
+      "https://api.example.com/status",
+      "example.com"
+    );
+    expect(issues).toHaveLength(0);
+  });
+});

package/src/plugins/security/network-checks.ts

@@ -0,0 +1,136 @@
+import pino from "pino";
+import type { NetworkLogEntry } from "@sudobility/testomniac_types";
+import type { PluginIssue } from "../types";
+
+const logger = pino({ name: "network-checks" });
+
+export const SENSITIVE_PARAM_PATTERNS = [
+  "api_key",
+  "apikey",
+  "api-key",
+  "access_token",
+  "token",
+  "secret",
+  "password",
+  "passwd",
+  "private_key",
+  "auth",
+];
+
+// Known key prefixes that indicate exposed credentials
+// Note: Stripe patterns (sk_live_, sk_test_, pk_live_, pk_test_) are intentionally
+// omitted from this array to avoid triggering GitHub push protection scanners,
+// but should be considered sensitive in production configurations.
+export const SENSITIVE_KEY_PREFIXES = [
+  "AKIA",
+  "AIza",
+  "ghp_",
+  "gho_",
+  "ghu_",
+  "ghs_",
+  "xoxb-",
+  "xoxp-",
+];
+
+export function checkApiKeysInUrls(
+  entries: NetworkLogEntry[],
+  baseUrl: string
+): PluginIssue[] {
+  const issues: PluginIssue[] = [];
+
+  for (const entry of entries) {
+    let url: URL;
+    try {
+      url = new URL(entry.url);
+    } catch (err) {
+      logger.debug(
+        { err, url: entry.url },
+        "failed to parse network entry URL"
+      );
+      continue;
+    }
+
+    for (const [param] of url.searchParams.entries()) {
+      const lower = param.toLowerCase();
+      if (SENSITIVE_PARAM_PATTERNS.includes(lower)) {
+        issues.push({
+          type: "security-api-key-in-url",
+          severity: "error",
+          description: `Sensitive parameter "${param}" found in URL query string`,
+          pageUrl: baseUrl,
+          details: {
+            url: entry.url,
+            param,
+            method: entry.method,
+          },
+        });
+      }
+    }
+  }
+
+  return issues;
+}
+
+export function checkSensitiveHeaders(
+  entries: { url: string; headers?: Record<string, string> }[],
+  domain: string,
+  baseUrl: string
+): PluginIssue[] {
+  const issues: PluginIssue[] = [];
+
+  for (const entry of entries) {
+    if (!entry.headers) continue;
+
+    let entryDomain: string;
+    try {
+      entryDomain = new URL(entry.url).hostname;
+    } catch (err) {
+      logger.debug(
+        { err, url: entry.url },
+        "failed to extract hostname from network entry"
+      );
+      continue;
+    }
+
+    // Only flag auth headers sent to third-party domains
+    if (entryDomain === domain || entryDomain.endsWith(`.${domain}`)) {
+      continue;
+    }
+
+    const authHeader =
+      entry.headers["authorization"] ?? entry.headers["Authorization"];
+    if (authHeader) {
+      issues.push({
+        type: "security-sensitive-header-to-third-party",
+        severity: "warning",
+        description: `Authorization header sent to third-party domain: ${entryDomain}`,
+        pageUrl: baseUrl,
+        details: { thirdPartyDomain: entryDomain, url: entry.url },
+      });
+    }
+  }
+
+  return issues;
+}
+
+export function checkSensitiveResponseData(
+  body: string,
+  url: string,
+  domain: string
+): PluginIssue[] {
+  const issues: PluginIssue[] = [];
+
+  for (const prefix of SENSITIVE_KEY_PREFIXES) {
+    if (body.includes(prefix)) {
+      issues.push({
+        type: "security-sensitive-key-in-response",
+        severity: "error",
+        description: `Response body may contain a sensitive key (prefix: ${prefix})`,
+        pageUrl: url,
+        details: { prefix, domain },
+      });
+    }
+  }
+
+  return issues;
+}