agent-enderun 0.1.10 → 0.2.0

package/packages/framework-mcp/dist/tools/security.js

@@ -0,0 +1,122 @@
+import fs from "fs";
+import path from "path";
+import { Project, SyntaxKind } from "ts-morph";
+import { collectFilesRecursively, resolveSafePath, buildLineMatches } from "../utils.js";
+import { SECURITY_AUDIT_ARGS_SCHEMA, ANALYZE_CONSTITUTION_COMPLIANCE_ARGS_SCHEMA } from "../schemas.js";
+export const securityTools = [
+    {
+        name: "security_audit_scan",
+        description: "Scans the codebase for security vulnerabilities like hardcoded secrets, raw SQL, and unsafe async patterns.",
+        inputSchema: {
+            type: "object",
+            properties: {
+                path: {
+                    type: "string",
+                    description: "Path to scan (relative to project root)",
+                    default: ".",
+                },
+            },
+        },
+    },
+    {
+        name: "analyze_constitution_compliance",
+        description: "Scans a file or directory for violations of the project's ENDERUN.md rules (e.g. Zero UI Library, Branded Types).",
+        inputSchema: {
+            type: "object",
+            properties: {
+                path: {
+                    type: "string",
+                    description: "Path to scan (relative to project root)",
+                },
+            },
+            required: ["path"],
+        },
+    },
+];
+export const securityHandlers = {
+    security_audit_scan: async (args, projectRoot) => {
+        const parsed = SECURITY_AUDIT_ARGS_SCHEMA.safeParse(args ?? {});
+        if (!parsed.success)
+            return { content: [{ type: "text", text: "Invalid path argument." }] };
+        const vulnerabilities = [];
+        const scanRules = [
+            { pattern: /sql`/, message: "Potential Raw SQL usage detected (check Kysely usage)", severity: "HIGH" },
+            { pattern: /(?<!\/\/\s*)console\.log/, message: "console.log found in production code", severity: "LOW" },
+            { pattern: /(password|secret|api_?key)\s*[:=]\s*['"][^'"]+['"]/i, message: "Potential hardcoded secret/password detected", severity: "CRITICAL" },
+            { pattern: /:\s*any(?!\w)/, message: "Usage of 'any' type detected", severity: "MEDIUM" },
+            { pattern: /(?<!\w)eval\s*\(/, message: "Dangerous 'eval()' usage detected", severity: "HIGH" },
+            { pattern: /\.innerHTML\s*=/, message: "Unsafe innerHTML assignment detected (XSS risk)", severity: "MEDIUM" },
+            { pattern: /dangerouslySetInnerHTML/, message: "React dangerouslySetInnerHTML detected", severity: "MEDIUM" },
+            { pattern: /TODO:/, message: "Outstanding TODO item found", severity: "LOW" },
+        ];
+        try {
+            const safeTargetPath = resolveSafePath(projectRoot, parsed.data.path);
+            if (!fs.existsSync(safeTargetPath))
+                return { content: [{ type: "text", text: "Target path not found." }] };
+            const files = collectFilesRecursively(safeTargetPath, new Set(["ts", "tsx"]));
+            for (const rule of scanRules) {
+                const ruleMatches = buildLineMatches(files, (line) => typeof rule.pattern === "string" ? line.includes(rule.pattern) : rule.pattern.test(line), 5, projectRoot);
+                if (ruleMatches.length > 0)
+                    vulnerabilities.push(`[${rule.severity}] ${rule.message}:\n${ruleMatches.join("\n")}`);
+            }
+            const tsProject = new Project({ compilerOptions: { allowJs: true } });
+            tsProject.addSourceFilesAtPaths(path.join(safeTargetPath, "**/*.{ts,tsx}"));
+            for (const sourceFile of tsProject.getSourceFiles()) {
+                const relativePath = path.relative(projectRoot, sourceFile.getFilePath());
+                sourceFile.forEachDescendant((node) => {
+                    if (node.getKindName() === "AnyKeyword") {
+                        vulnerabilities.push(`[MEDIUM] Precise 'any' type detected in AST at ${relativePath}:${node.getStartLineNumber()}`);
+                    }
+                    if (node.getKind() === SyntaxKind.CallExpression) {
+                        const callExp = node.asKind(SyntaxKind.CallExpression);
+                        if (callExp?.getExpression().getText() === "console.log") {
+                            vulnerabilities.push(`[LOW] Production 'console.log' detected in AST at ${relativePath}:${node.getStartLineNumber()}`);
+                        }
+                    }
+                });
+            }
+            return { content: [{ type: "text", text: vulnerabilities.length > 0 ? `### ADVANCED SECURITY AUDIT RESULTS\n\n${Array.from(new Set(vulnerabilities)).join("\n\n")}` : "No security patterns or rule violations detected (Regex & AST verified)." }] };
+        }
+        catch (error) {
+            return { content: [{ type: "text", text: "Security scan failed." }] };
+        }
+    },
+    analyze_constitution_compliance: async (args, projectRoot) => {
+        const parsed = ANALYZE_CONSTITUTION_COMPLIANCE_ARGS_SCHEMA.safeParse(args ?? {});
+        if (!parsed.success)
+            return { content: [{ type: "text", text: "Invalid path argument." }] };
+        try {
+            const safePath = resolveSafePath(projectRoot, parsed.data.path);
+            const violations = [];
+            const checkFile = (filePath) => {
+                const content = fs.readFileSync(filePath, "utf-8");
+                const relativePath = path.relative(projectRoot, filePath);
+                const forbiddenLibraries = ["@shadcn", "mui", "@chakra-ui", "antd", "bootstrap", "tailwindcss"];
+                for (const lib of forbiddenLibraries) {
+                    if (content.includes(lib))
+                        violations.push(`${relativePath}: Violation of Zero UI Library Policy (found '${lib}')`);
+                }
+                if (content.includes("console.log") && !filePath.includes("cli.js") && !filePath.includes("node_modules")) {
+                    violations.push(`${relativePath}: Violation of Logging Policy (found 'console.log', use proper logger)`);
+                }
+                if (content.includes("sql`") && !filePath.includes("node_modules")) {
+                    violations.push(`${relativePath}: Potential Violation of Kysely Standards (found raw 'sql' tag)`);
+                }
+                if (filePath.endsWith(".ts") && !filePath.includes("shared-types") && !filePath.includes("node_modules")) {
+                    if (content.match(/interface.*ID\s*:\s*string/))
+                        violations.push(`${relativePath}: Violation of Branded Types Law (found ID typed as plain string)`);
+                }
+            };
+            if (fs.lstatSync(safePath).isDirectory()) {
+                collectFilesRecursively(safePath, new Set(["ts", "tsx", "js", "jsx"])).forEach(checkFile);
+            }
+            else {
+                checkFile(safePath);
+            }
+            return { content: [{ type: "text", text: `### CONSTITUTION COMPLIANCE REPORT\n\n` + (violations.length > 0 ? `⚠️ **VIOLATIONS FOUND:**\n${violations.map(v => `- ${v}`).join("\n")}` : "✅ **ALL SYSTEMS COMPLIANT:** No violations of ENDERUN.md rules detected.") }] };
+        }
+        catch (error) {
+            return { content: [{ type: "text", text: "Compliance analysis failed." }] };
+        }
+    },
+};

package/packages/framework-mcp/dist/utils.js

@@ -0,0 +1,82 @@
+import path from "path";
+import fs from "fs";
+export const FRAMEWORK_VERSION = "0.2.0";
+export function getFrameworkDir(projectRoot) {
+    const adapters = [".gemini", ".claude", ".cursor", ".codex", ".enderun"];
+    for (const adp of adapters) {
+        const fullPath = path.join(projectRoot, adp);
+        if (fs.existsSync(fullPath) && fs.lstatSync(fullPath).isDirectory()) {
+            return adp;
+        }
+    }
+    return ".enderun";
+}
+export function resolveSafePath(projectRoot, targetPath) {
+    const resolved = path.resolve(projectRoot, targetPath);
+    const relative = path.relative(projectRoot, resolved);
+    if (relative.startsWith("..") || path.isAbsolute(relative)) {
+        throw new Error("Path escapes project root.");
+    }
+    return resolved;
+}
+export function collectFilesRecursively(targetPath, extensions) {
+    const results = [];
+    const entries = fs.readdirSync(targetPath, { withFileTypes: true });
+    for (const entry of entries) {
+        const fullPath = path.join(targetPath, entry.name);
+        if (entry.isDirectory()) {
+            if (entry.name === "node_modules" || entry.name === ".git")
+                continue;
+            results.push(...collectFilesRecursively(fullPath, extensions));
+            continue;
+        }
+        const ext = path.extname(entry.name).slice(1).toLowerCase();
+        if (extensions.has(ext))
+            results.push(fullPath);
+    }
+    return results;
+}
+export function buildLineMatches(files, matcher, maxResults, projectRoot) {
+    const matches = [];
+    for (const filePath of files) {
+        if (matches.length >= maxResults)
+            break;
+        const content = fs.readFileSync(filePath, "utf-8");
+        const lines = content.split("\n");
+        for (let i = 0; i < lines.length; i++) {
+            if (matches.length >= maxResults)
+                break;
+            const line = lines[i];
+            if (!matcher(line))
+                continue;
+            const relativePath = path.relative(projectRoot, filePath);
+            matches.push(`${relativePath}:${i + 1}:${line}`);
+        }
+    }
+    return matches;
+}
+export function collectMarkdownArtifacts(projectRoot) {
+    const docsRoot = path.join(projectRoot, "docs");
+    if (!fs.existsSync(docsRoot))
+        return [];
+    return collectFilesRecursively(docsRoot, new Set(["md"])).map((filePath) => path.relative(projectRoot, filePath));
+}
+export function replaceSectionContent(markdown, sectionTitle, newBody) {
+    const escaped = sectionTitle.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    const sectionRegex = new RegExp(`## ${escaped}[\\s\\S]*?(?=\\n## |$)`, "m");
+    if (!sectionRegex.test(markdown)) {
+        throw new Error(`Section not found: ${sectionTitle}`);
+    }
+    return markdown.replace(sectionRegex, `## ${sectionTitle}\n\n${newBody.trim()}\n`);
+}
+export function prependToSection(markdown, sectionTitle, contentToPrepend) {
+    const escaped = sectionTitle.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    const sectionRegex = new RegExp(`(## ${escaped}\\n)([\\s\\S]*?)(?=\\n## |$)`, "m");
+    const match = markdown.match(sectionRegex);
+    if (!match) {
+        throw new Error(`Section not found: ${sectionTitle}`);
+    }
+    const currentBody = match[2].trimStart();
+    const updatedBody = `${contentToPrepend.trim()}\n\n${currentBody}`.trim();
+    return markdown.replace(sectionRegex, `$1\n${updatedBody}\n`);
+}