ai-code-audit 0.1.0

package/src/auditor.ts

@@ -0,0 +1,226 @@
+import { readFileSync, existsSync } from 'node:fs';
+import { extname } from 'node:path';
+import { allRules } from './rules/index.js';
+import type { Finding, AuditResult, Config, Severity } from './types.js';
+
+const EXTENSION_MAP: Record<string, string> = {
+  '.ts': 'typescript',
+  '.tsx': 'typescript',
+  '.js': 'javascript',
+  '.jsx': 'javascript',
+  '.mjs': 'javascript',
+  '.cjs': 'javascript',
+  '.py': 'python',
+  '.rb': 'ruby',
+  '.go': 'go',
+};
+
+const DEFAULT_CONFIG: Config = {
+  rules: {},
+  ignore: [],
+  languages: ['typescript', 'javascript', 'python'],
+};
+
+function getLanguage(filename: string): string | null {
+  const ext = extname(filename).toLowerCase();
+  return EXTENSION_MAP[ext] || null;
+}
+
+function shouldIgnore(finding: Finding, config: Config): boolean {
+  const ruleSeverity = config.rules[finding.rule];
+  return ruleSeverity === 'off';
+}
+
+function adjustSeverity(finding: Finding, config: Config): Finding {
+  const ruleSeverity = config.rules[finding.rule];
+  if (ruleSeverity && ruleSeverity !== 'off') {
+    return { ...finding, severity: ruleSeverity };
+  }
+  return finding;
+}
+
+export function auditFile(filename: string, config: Config = DEFAULT_CONFIG): Finding[] {
+  const language = getLanguage(filename);
+
+  if (!language) {
+    return [];
+  }
+
+  if (!config.languages.includes(language)) {
+    return [];
+  }
+
+  let content: string;
+  try {
+    content = readFileSync(filename, 'utf-8');
+  } catch {
+    return [];
+  }
+
+  const findings: Finding[] = [];
+
+  for (const rule of allRules) {
+    if (!rule.languages.includes(language)) {
+      continue;
+    }
+
+    const ruleFindings = rule.check(content, filename);
+
+    for (const finding of ruleFindings) {
+      if (!shouldIgnore(finding, config)) {
+        findings.push(adjustSeverity(finding, config));
+      }
+    }
+  }
+
+  return findings;
+}
+
+export function auditContent(content: string, filename: string, config: Config = DEFAULT_CONFIG): Finding[] {
+  const language = getLanguage(filename);
+
+  if (!language) {
+    return [];
+  }
+
+  const findings: Finding[] = [];
+
+  for (const rule of allRules) {
+    if (!rule.languages.includes(language)) {
+      continue;
+    }
+
+    const ruleFindings = rule.check(content, filename);
+
+    for (const finding of ruleFindings) {
+      if (!shouldIgnore(finding, config)) {
+        findings.push(adjustSeverity(finding, config));
+      }
+    }
+  }
+
+  return findings;
+}
+
+export function auditDiff(diff: string, config: Config = DEFAULT_CONFIG): Finding[] {
+  const findings: Finding[] = [];
+  let currentFile = '';
+  let lineOffset = 0;
+  const addedLines: Map<string, { line: number; content: string }[]> = new Map();
+
+  // Parse the diff
+  const lines = diff.split('\n');
+
+  for (const line of lines) {
+    // New file
+    if (line.startsWith('+++ b/')) {
+      currentFile = line.slice(6);
+      addedLines.set(currentFile, []);
+      continue;
+    }
+
+    // Hunk header
+    if (line.startsWith('@@')) {
+      const match = line.match(/@@ -\d+(?:,\d+)? \+(\d+)/);
+      if (match) {
+        lineOffset = parseInt(match[1], 10) - 1;
+      }
+      continue;
+    }
+
+    // Added line
+    if (line.startsWith('+') && !line.startsWith('+++')) {
+      lineOffset++;
+      const fileLines = addedLines.get(currentFile);
+      if (fileLines) {
+        fileLines.push({
+          line: lineOffset,
+          content: line.slice(1),
+        });
+      }
+      continue;
+    }
+
+    // Context or removed line
+    if (!line.startsWith('-')) {
+      lineOffset++;
+    }
+  }
+
+  // Audit added lines for each file
+  for (const [filename, lines] of addedLines) {
+    if (lines.length === 0) continue;
+
+    const content = lines.map((l) => l.content).join('\n');
+    const contentFindings = auditContent(content, filename, config);
+
+    // Adjust line numbers back to original file
+    for (const finding of contentFindings) {
+      const originalLine = lines[finding.line - 1];
+      if (originalLine) {
+        findings.push({
+          ...finding,
+          line: originalLine.line,
+        });
+      }
+    }
+  }
+
+  return findings;
+}
+
+export function summarize(findings: Finding[]): AuditResult {
+  let errorCount = 0;
+  let warningCount = 0;
+  let infoCount = 0;
+
+  const files = new Set<string>();
+
+  for (const finding of findings) {
+    files.add(finding.file);
+
+    switch (finding.severity) {
+      case 'error':
+        errorCount++;
+        break;
+      case 'warning':
+        warningCount++;
+        break;
+      case 'info':
+        infoCount++;
+        break;
+    }
+  }
+
+  return {
+    findings,
+    filesScanned: files.size,
+    errorCount,
+    warningCount,
+    infoCount,
+  };
+}
+
+export function loadConfig(configPath?: string): Config {
+  const paths = configPath
+    ? [configPath]
+    : ['.ai-code-audit.json', '.ai-code-audit.config.json'];
+
+  for (const path of paths) {
+    if (existsSync(path)) {
+      try {
+        const content = readFileSync(path, 'utf-8');
+        const userConfig = JSON.parse(content);
+        return {
+          ...DEFAULT_CONFIG,
+          ...userConfig,
+          rules: { ...DEFAULT_CONFIG.rules, ...userConfig.rules },
+        };
+      } catch {
+        // Invalid config, use defaults
+      }
+    }
+  }
+
+  return DEFAULT_CONFIG;
+}

package/src/cli.ts

@@ -0,0 +1,274 @@
+#!/usr/bin/env node
+
+import { readFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { auditFile, auditDiff, summarize, loadConfig } from './auditor.js';
+import type { Finding, AuditResult, Severity } from './types.js';
+
+const VERSION = '0.1.0';
+
+const COLORS = {
+  reset: '\x1b[0m',
+  bold: '\x1b[1m',
+  dim: '\x1b[2m',
+  red: '\x1b[31m',
+  yellow: '\x1b[33m',
+  blue: '\x1b[34m',
+  cyan: '\x1b[36m',
+  gray: '\x1b[90m',
+};
+
+const SEVERITY_COLORS: Record<Severity, string> = {
+  error: COLORS.red,
+  warning: COLORS.yellow,
+  info: COLORS.blue,
+};
+
+const HELP = `
+${COLORS.bold}ai-code-audit${COLORS.reset} v${VERSION}
+Security and quality linter for AI-generated code
+
+${COLORS.bold}USAGE:${COLORS.reset}
+  aca [options] <files...>
+  git diff | aca --stdin
+
+${COLORS.bold}OPTIONS:${COLORS.reset}
+  -s, --stdin           Read diff from stdin
+  -f, --format <type>   Output format: text, json, sarif (default: text)
+  -c, --config <file>   Config file path
+  --severity <level>    Minimum severity: info, warning, error (default: warning)
+  -q, --quiet           Only output errors
+  -h, --help            Show help
+  -v, --version         Show version
+
+${COLORS.bold}EXAMPLES:${COLORS.reset}
+  aca src/api.ts                    # Audit a single file
+  aca src/**/*.ts                   # Audit multiple files
+  git diff HEAD~1 | aca --stdin     # Audit a diff
+  git diff --cached | aca --stdin   # Audit staged changes
+
+${COLORS.bold}GIT HOOK:${COLORS.reset}
+  Add to .git/hooks/pre-commit:
+    git diff --cached | aca --stdin --severity error
+
+`;
+
+interface Options {
+  stdin: boolean;
+  format: 'text' | 'json' | 'sarif';
+  configPath?: string;
+  severity: Severity;
+  quiet: boolean;
+  files: string[];
+}
+
+function parseArgs(args: string[]): Options {
+  const options: Options = {
+    stdin: false,
+    format: 'text',
+    severity: 'warning',
+    quiet: false,
+    files: [],
+  };
+
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+
+    switch (arg) {
+      case '-h':
+      case '--help':
+        console.log(HELP);
+        process.exit(0);
+        break;
+
+      case '-v':
+      case '--version':
+        console.log(`ai-code-audit v${VERSION}`);
+        process.exit(0);
+        break;
+
+      case '-s':
+      case '--stdin':
+        options.stdin = true;
+        break;
+
+      case '-f':
+      case '--format':
+        options.format = args[++i] as 'text' | 'json' | 'sarif';
+        break;
+
+      case '-c':
+      case '--config':
+        options.configPath = args[++i];
+        break;
+
+      case '--severity':
+        options.severity = args[++i] as Severity;
+        break;
+
+      case '-q':
+      case '--quiet':
+        options.quiet = true;
+        options.severity = 'error';
+        break;
+
+      default:
+        if (!arg.startsWith('-')) {
+          options.files.push(arg);
+        }
+        break;
+    }
+  }
+
+  return options;
+}
+
+function filterBySeverity(findings: Finding[], minSeverity: Severity): Finding[] {
+  const severityOrder: Severity[] = ['info', 'warning', 'error'];
+  const minIndex = severityOrder.indexOf(minSeverity);
+
+  return findings.filter((f) => severityOrder.indexOf(f.severity) >= minIndex);
+}
+
+function formatText(result: AuditResult): string {
+  const output: string[] = [];
+
+  // Group findings by file
+  const byFile = new Map<string, Finding[]>();
+  for (const finding of result.findings) {
+    const existing = byFile.get(finding.file) || [];
+    existing.push(finding);
+    byFile.set(finding.file, existing);
+  }
+
+  for (const [file, findings] of byFile) {
+    output.push(`\n${COLORS.bold}${file}${COLORS.reset}`);
+
+    for (const f of findings) {
+      const color = SEVERITY_COLORS[f.severity];
+      const loc = `${f.line}:${f.column}`.padEnd(8);
+      const sev = f.severity.padEnd(8);
+      output.push(
+        `  ${COLORS.gray}${loc}${COLORS.reset} ${color}${sev}${COLORS.reset} ${f.message}  ${COLORS.dim}${f.rule}${COLORS.reset}`
+      );
+    }
+  }
+
+  output.push('');
+
+  const { errorCount, warningCount, infoCount } = result;
+  const total = errorCount + warningCount + infoCount;
+
+  if (total === 0) {
+    output.push(`${COLORS.cyan}✓ No issues found${COLORS.reset}`);
+  } else {
+    const parts = [];
+    if (errorCount > 0) parts.push(`${COLORS.red}${errorCount} error${errorCount !== 1 ? 's' : ''}${COLORS.reset}`);
+    if (warningCount > 0) parts.push(`${COLORS.yellow}${warningCount} warning${warningCount !== 1 ? 's' : ''}${COLORS.reset}`);
+    if (infoCount > 0) parts.push(`${COLORS.blue}${infoCount} info${COLORS.reset}`);
+    output.push(parts.join(', '));
+  }
+
+  return output.join('\n');
+}
+
+function formatJson(result: AuditResult): string {
+  return JSON.stringify(result, null, 2);
+}
+
+function formatSarif(result: AuditResult): string {
+  const sarif = {
+    $schema: 'https://json.schemastore.org/sarif-2.1.0.json',
+    version: '2.1.0',
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: 'ai-code-audit',
+            version: VERSION,
+            rules: result.findings.map((f) => ({
+              id: f.rule,
+              shortDescription: { text: f.message },
+            })),
+          },
+        },
+        results: result.findings.map((f) => ({
+          ruleId: f.rule,
+          level: f.severity === 'error' ? 'error' : f.severity === 'warning' ? 'warning' : 'note',
+          message: { text: f.message },
+          locations: [
+            {
+              physicalLocation: {
+                artifactLocation: { uri: f.file },
+                region: { startLine: f.line, startColumn: f.column },
+              },
+            },
+          ],
+        })),
+      },
+    ],
+  };
+
+  return JSON.stringify(sarif, null, 2);
+}
+
+async function main(): Promise<void> {
+  const args = process.argv.slice(2);
+
+  if (args.length === 0) {
+    console.log(HELP);
+    process.exit(0);
+  }
+
+  const options = parseArgs(args);
+  const config = loadConfig(options.configPath);
+
+  let findings: Finding[] = [];
+
+  if (options.stdin) {
+    // Read diff from stdin
+    const chunks: Buffer[] = [];
+    for await (const chunk of process.stdin) {
+      chunks.push(chunk);
+    }
+    const diff = Buffer.concat(chunks).toString('utf-8');
+    findings = auditDiff(diff, config);
+  } else if (options.files.length > 0) {
+    // Audit files
+    for (const file of options.files) {
+      const filePath = resolve(file);
+      findings.push(...auditFile(filePath, config));
+    }
+  } else {
+    console.error('Error: No files specified. Use --stdin for diff input.');
+    process.exit(1);
+  }
+
+  // Filter by severity
+  findings = filterBySeverity(findings, options.severity);
+
+  const result = summarize(findings);
+
+  // Output
+  switch (options.format) {
+    case 'json':
+      console.log(formatJson(result));
+      break;
+    case 'sarif':
+      console.log(formatSarif(result));
+      break;
+    default:
+      console.log(formatText(result));
+      break;
+  }
+
+  // Exit with error if there are errors
+  if (result.errorCount > 0) {
+    process.exit(1);
+  }
+}
+
+main().catch((err) => {
+  console.error('Fatal error:', err);
+  process.exit(1);
+});

package/src/index.ts

@@ -0,0 +1,5 @@
+// ai-code-audit - Security and quality linter for AI-generated code
+
+export { auditFile, auditContent, auditDiff, summarize, loadConfig } from './auditor.js';
+export { allRules, securityRules, qualityRules, aiSpecificRules } from './rules/index.js';
+export type { Finding, Rule, AuditResult, Config, Severity } from './types.js';

package/src/rules/ai-specific.ts

@@ -0,0 +1,170 @@
+import type { Rule, Finding } from '../types.js';
+
+function findMatches(
+  content: string,
+  pattern: RegExp,
+  rule: string,
+  severity: 'info' | 'warning' | 'error',
+  message: string,
+  filename: string
+): Finding[] {
+  const findings: Finding[] = [];
+  const lines = content.split('\n');
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    let match;
+
+    pattern.lastIndex = 0;
+
+    while ((match = pattern.exec(line)) !== null) {
+      findings.push({
+        rule,
+        severity,
+        message,
+        file: filename,
+        line: i + 1,
+        column: match.index + 1,
+        snippet: line.trim(),
+      });
+
+      if (!pattern.global) break;
+    }
+  }
+
+  return findings;
+}
+
+export const aiPlaceholder: Rule = {
+  name: 'ai-placeholder',
+  description: 'Detects placeholder text left by AI',
+  severity: 'error',
+  languages: ['javascript', 'typescript', 'python', 'ruby', 'go'],
+  check: (content, filename) => {
+    const patterns = [
+      /\/\/\s*(?:Add|TODO:?\s*add|Implement)\s+(?:your|the)\s+/gi,
+      /\/\/\s*(?:Replace|Update)\s+(?:this|with)\s+/gi,
+      /#\s*(?:Add|TODO:?\s*add|Implement)\s+(?:your|the)\s+/gi,
+      /\/\/\s*\.\.\.\s*(?:rest|more|additional|other)/gi,
+      /\/\*\s*(?:Add|Implement|Your)\s+.*\s+here\s*\*\//gi,
+      /['"](?:your-api-key|YOUR_API_KEY|api-key-here|replace-me|CHANGE_ME)['"]/gi,
+      /(?:example|placeholder|dummy)[@.](?:com|org|io)/gi,
+    ];
+
+    const findings: Finding[] = [];
+    for (const pattern of patterns) {
+      findings.push(
+        ...findMatches(
+          content,
+          pattern,
+          'ai-placeholder',
+          'error',
+          'AI placeholder text detected - needs implementation',
+          filename
+        )
+      );
+    }
+    return findings;
+  },
+};
+
+export const incompleteImpl: Rule = {
+  name: 'incomplete-impl',
+  description: 'Detects incomplete implementations',
+  severity: 'warning',
+  languages: ['javascript', 'typescript', 'python'],
+  check: (content, filename) => {
+    const patterns = [
+      /throw\s+new\s+Error\s*\(\s*['"](?:Not\s+implemented|TODO|FIXME)['"]/gi,
+      /raise\s+NotImplementedError/gi,
+      /pass\s*#\s*(?:TODO|FIXME)/gi,
+      /return\s+(?:null|undefined|None)\s*;?\s*\/\/\s*(?:TODO|FIXME)/gi,
+    ];
+
+    const findings: Finding[] = [];
+    for (const pattern of patterns) {
+      findings.push(
+        ...findMatches(
+          content,
+          pattern,
+          'incomplete-impl',
+          'warning',
+          'Incomplete implementation detected',
+          filename
+        )
+      );
+    }
+    return findings;
+  },
+};
+
+export const typeAnyAbuse: Rule = {
+  name: 'type-any-abuse',
+  description: 'Detects excessive use of any type',
+  severity: 'warning',
+  languages: ['typescript'],
+  check: (content, filename) => {
+    if (!filename.endsWith('.ts') && !filename.endsWith('.tsx')) {
+      return [];
+    }
+
+    const pattern = /:\s*any\b/g;
+    const findings = findMatches(
+      content,
+      pattern,
+      'type-any-abuse',
+      'warning',
+      'Unsafe "any" type usage - consider using a specific type',
+      filename
+    );
+
+    // Only report if there are many instances
+    if (findings.length > 3) {
+      return findings;
+    }
+    return [];
+  },
+};
+
+export const excessiveComments: Rule = {
+  name: 'excessive-comments',
+  description: 'Detects over-commented obvious code',
+  severity: 'info',
+  languages: ['javascript', 'typescript'],
+  check: (content, filename) => {
+    const findings: Finding[] = [];
+    const lines = content.split('\n');
+    let commentLines = 0;
+    let codeLines = 0;
+
+    for (const line of lines) {
+      const trimmed = line.trim();
+      if (trimmed.startsWith('//') || trimmed.startsWith('/*') || trimmed.startsWith('*')) {
+        commentLines++;
+      } else if (trimmed.length > 0) {
+        codeLines++;
+      }
+    }
+
+    // If comments exceed 50% of code, flag it
+    if (codeLines > 10 && commentLines > codeLines * 0.5) {
+      findings.push({
+        rule: 'excessive-comments',
+        severity: 'info',
+        message: `High comment ratio (${commentLines} comments / ${codeLines} code lines) - may be over-documented`,
+        file: filename,
+        line: 1,
+        column: 1,
+      });
+    }
+
+    return findings;
+  },
+};
+
+export const aiSpecificRules: Rule[] = [
+  aiPlaceholder,
+  incompleteImpl,
+  typeAnyAbuse,
+  excessiveComments,
+];

package/src/rules/index.ts

@@ -0,0 +1,12 @@
+import { securityRules } from './security.js';
+import { qualityRules } from './quality.js';
+import { aiSpecificRules } from './ai-specific.js';
+import type { Rule } from '../types.js';
+
+export const allRules: Rule[] = [
+  ...securityRules,
+  ...qualityRules,
+  ...aiSpecificRules,
+];
+
+export { securityRules, qualityRules, aiSpecificRules };