@voodocs/cli 0.1.2 → 0.2.0

package/lib/darkarts/context/checker.py

@@ -0,0 +1,379 @@
+"""
+Invariant Checker
+
+Validates that code respects documented invariants.
+"""
+
+import re
+import ast
+from pathlib import Path
+from typing import List, Dict, Optional, Tuple
+from dataclasses import dataclass
+from enum import Enum
+
+
+class ViolationSeverity(Enum):
+    """Severity levels for invariant violations."""
+    ERROR = "error"
+    WARNING = "warning"
+    INFO = "info"
+
+
+@dataclass
+class Violation:
+    """A potential invariant violation."""
+    invariant: str
+    file_path: str
+    line_number: int
+    line_content: str
+    severity: ViolationSeverity
+    explanation: str
+
+
+@dataclass
+class CheckResult:
+    """Result of checking an invariant."""
+    invariant: str
+    passed: bool
+    violations: List[Violation]
+    checked_files: int
+
+
+class InvariantChecker:
+    """Checks code against documented invariants."""
+    
+    # Common invariant patterns and their detection strategies
+    PATTERNS = {
+        'password': {
+            'keywords': ['password', 'passwd', 'pwd'],
+            'safe_patterns': [
+                r'hash\(',
+                r'bcrypt\.',
+                r'hashlib\.',
+                r'crypto\.',
+                r'pbkdf2',
+                r'scrypt',
+                r'argon2'
+            ],
+            'unsafe_patterns': [
+                r'password\s*=\s*["\']',
+                r'password\s*:\s*["\']',
+                r'\.password\s*=',
+            ],
+            'message': 'Password should be hashed before storage'
+        },
+        'api_key': {
+            'keywords': ['api key', 'api_key', 'apikey', 'secret', 'token'],
+            'unsafe_patterns': [
+                r'log\(',
+                r'print\(',
+                r'console\.log\(',
+                r'logger\.',
+                r'logging\.',
+                r'echo\s+',
+                r'puts\s+'
+            ],
+            'message': 'API keys/secrets should not be logged'
+        },
+        'sql': {
+            'keywords': ['sql', 'database', 'query', 'queries'],
+            'unsafe_patterns': [
+                r'execute\([f"\'].*\{',
+                r'execute\(.*\+',
+                r'query\([f"\'].*\{',
+                r'query\(.*\+',
+                r'SELECT.*\{',
+                r'INSERT.*\{',
+                r'UPDATE.*\{',
+                r'DELETE.*\{',
+            ],
+            'safe_patterns': [
+                r'execute\(.*,\s*\(',
+                r'execute\(.*,\s*\[',
+                r'execute\(.*,\s*\{',
+                r'\?',
+                r'%s',
+                r'\$\d+',
+            ],
+            'message': 'SQL queries should use parameterized statements'
+        },
+        'validation': {
+            'keywords': ['input', 'user input', 'validate', 'validation'],
+            'safe_patterns': [
+                r'validate\(',
+                r'sanitize\(',
+                r'clean\(',
+                r'isinstance\(',
+                r'type\(',
+                r'assert\s+',
+                r'if\s+.*isinstance',
+                r'if\s+.*type\(',
+            ],
+            'message': 'User input should be validated'
+        },
+        'null_check': {
+            'keywords': ['null', 'none', 'nil', 'undefined'],
+            'safe_patterns': [
+                r'if\s+.*is\s+None',
+                r'if\s+.*==\s*None',
+                r'if\s+.*is\s+not\s+None',
+                r'if\s+.*!=\s*None',
+                r'if\s+.*===\s*null',
+                r'if\s+.*!==\s*null',
+                r'if\s+.*\?\.',
+                r'Optional\[',
+            ],
+            'message': 'Null/None values should be checked'
+        },
+        'error_handling': {
+            'keywords': ['error', 'exception', 'failure'],
+            'safe_patterns': [
+                r'try:',
+                r'except\s+',
+                r'catch\s*\(',
+                r'\.catch\(',
+                r'Result\[',
+                r'Option\[',
+                r'Either\[',
+            ],
+            'message': 'Errors should be handled properly'
+        }
+    }
+    
+    def __init__(self):
+        self.results: List[CheckResult] = []
+    
+    def check_invariants(
+        self, 
+        invariants: List[str], 
+        source_dir: Path,
+        module_filter: Optional[str] = None
+    ) -> List[CheckResult]:
+        """
+        Check all invariants against the codebase.
+        
+        Args:
+            invariants: List of invariant strings to check
+            source_dir: Directory to scan for code
+            module_filter: Optional module name filter
+        
+        Returns:
+            List of CheckResult objects
+        """
+        self.results = []
+        
+        for invariant in invariants:
+            result = self.check_invariant(invariant, source_dir, module_filter)
+            self.results.append(result)
+        
+        return self.results
+    
+    def check_invariant(
+        self, 
+        invariant: str, 
+        source_dir: Path,
+        module_filter: Optional[str] = None
+    ) -> CheckResult:
+        """
+        Check a single invariant against the codebase.
+        
+        Args:
+            invariant: Invariant string to check
+            source_dir: Directory to scan for code
+            module_filter: Optional module name filter
+        
+        Returns:
+            CheckResult object
+        """
+        # Detect invariant pattern
+        pattern_type = self._detect_pattern_type(invariant)
+        
+        if not pattern_type:
+            # Generic check - just search for violations
+            return self._generic_check(invariant, source_dir, module_filter)
+        
+        # Pattern-specific check
+        return self._pattern_check(invariant, pattern_type, source_dir, module_filter)
+    
+    def _detect_pattern_type(self, invariant: str) -> Optional[str]:
+        """Detect which pattern type an invariant matches."""
+        invariant_lower = invariant.lower()
+        
+        for pattern_type, pattern_info in self.PATTERNS.items():
+            keywords = pattern_info['keywords']
+            if any(keyword in invariant_lower for keyword in keywords):
+                return pattern_type
+        
+        return None
+    
+    def _pattern_check(
+        self, 
+        invariant: str, 
+        pattern_type: str,
+        source_dir: Path,
+        module_filter: Optional[str]
+    ) -> CheckResult:
+        """Check invariant using pattern-specific logic."""
+        pattern_info = self.PATTERNS[pattern_type]
+        violations = []
+        checked_files = 0
+        
+        # Get all source files
+        files = self._get_source_files(source_dir, module_filter)
+        
+        for file_path in files:
+            checked_files += 1
+            file_violations = self._check_file(
+                file_path, 
+                invariant, 
+                pattern_info
+            )
+            violations.extend(file_violations)
+        
+        return CheckResult(
+            invariant=invariant,
+            passed=len(violations) == 0,
+            violations=violations,
+            checked_files=checked_files
+        )
+    
+    def _generic_check(
+        self, 
+        invariant: str, 
+        source_dir: Path,
+        module_filter: Optional[str]
+    ) -> CheckResult:
+        """Generic check for invariants without specific patterns."""
+        # For now, just return passed (no violations)
+        # Future: Could use LLM to analyze code
+        return CheckResult(
+            invariant=invariant,
+            passed=True,
+            violations=[],
+            checked_files=0
+        )
+    
+    def _check_file(
+        self, 
+        file_path: Path, 
+        invariant: str,
+        pattern_info: Dict
+    ) -> List[Violation]:
+        """Check a single file for violations."""
+        violations = []
+        
+        try:
+            with open(file_path, 'r', encoding='utf-8') as f:
+                lines = f.readlines()
+            
+            for line_num, line in enumerate(lines, start=1):
+                violation = self._check_line(
+                    line, 
+                    line_num, 
+                    file_path, 
+                    invariant,
+                    pattern_info
+                )
+                if violation:
+                    violations.append(violation)
+        
+        except Exception:
+            # Skip files that can't be read
+            pass
+        
+        return violations
+    
+    def _check_line(
+        self, 
+        line: str, 
+        line_num: int,
+        file_path: Path,
+        invariant: str,
+        pattern_info: Dict
+    ) -> Optional[Violation]:
+        """Check a single line for violations."""
+        # Skip comments
+        if line.strip().startswith('#') or line.strip().startswith('//'):
+            return None
+        
+        # Check for unsafe patterns
+        unsafe_patterns = pattern_info.get('unsafe_patterns', [])
+        for pattern in unsafe_patterns:
+            if re.search(pattern, line, re.IGNORECASE):
+                # Check if safe pattern is also present
+                safe_patterns = pattern_info.get('safe_patterns', [])
+                has_safe_pattern = any(
+                    re.search(safe_pattern, line, re.IGNORECASE)
+                    for safe_pattern in safe_patterns
+                )
+                
+                if not has_safe_pattern:
+                    return Violation(
+                        invariant=invariant,
+                        file_path=str(file_path),
+                        line_number=line_num,
+                        line_content=line.strip(),
+                        severity=ViolationSeverity.WARNING,
+                        explanation=pattern_info['message']
+                    )
+        
+        # Check for missing safe patterns (if keyword present)
+        keywords = pattern_info.get('keywords', [])
+        has_keyword = any(keyword in line.lower() for keyword in keywords)
+        
+        if has_keyword and 'safe_patterns' in pattern_info:
+            safe_patterns = pattern_info['safe_patterns']
+            has_safe_pattern = any(
+                re.search(safe_pattern, line, re.IGNORECASE)
+                for safe_pattern in safe_patterns
+            )
+            
+            # If keyword present but no safe pattern, might be a violation
+            # But only if it's an assignment or usage context
+            if not has_safe_pattern and ('=' in line or '(' in line):
+                return Violation(
+                    invariant=invariant,
+                    file_path=str(file_path),
+                    line_number=line_num,
+                    line_content=line.strip(),
+                    severity=ViolationSeverity.INFO,
+                    explanation=pattern_info['message']
+                )
+        
+        return None
+    
+    def _get_source_files(
+        self, 
+        source_dir: Path,
+        module_filter: Optional[str]
+    ) -> List[Path]:
+        """Get all source files to check."""
+        extensions = {'.py', '.ts', '.tsx', '.js', '.jsx', '.java', '.cpp', 
+                     '.cc', '.cxx', '.h', '.hpp', '.cs', '.go', '.rs'}
+        
+        skip_dirs = {'node_modules', '.git', '__pycache__', 'venv', '.venv',
+                    'dist', 'build', 'target', '.next', '.nuxt'}
+        
+        files = []
+        
+        for path in source_dir.rglob('*'):
+            # Skip directories
+            if path.is_dir():
+                continue
+            
+            # Skip if in excluded directory
+            if any(skip_dir in path.parts for skip_dir in skip_dirs):
+                continue
+            
+            # Check extension
+            if path.suffix.lower() not in extensions:
+                continue
+            
+            # Apply module filter if specified
+            if module_filter:
+                if module_filter not in str(path):
+                    continue
+            
+            files.append(path)
+        
+        return files