ai-project-maintainer 0.3.0

package/ai-project-maintainer/scripts/init-audit.mjs

@@ -0,0 +1,105 @@
+#!/usr/bin/env node
+import fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import YAML from "yaml";
+import {
+  defaultBusinessFlows,
+  defaultEvidenceSources,
+  defaultProjectProfile,
+  defaultRiskPolicy,
+} from "./lib/intake.mjs";
+
+const markdownTemplates = {
+  ".ai-maintainer/threat-model.md": `# Threat Model
+
+## Assets
+
+- Source code
+- User data
+- Credentials and local secrets
+
+## Trust Boundaries
+
+- Browser or renderer process
+- API or main process
+- Database and file system
+- CI/CD and release artifacts
+
+## User Decisions
+
+- Confirm the real roles, permissions, and sensitive data before production review.
+`,
+  ".ai-maintainer/release-checklist.yml": `schema_version: 1
+release:
+  has_staging: false
+  has_smoke_tests: false
+  has_manual_approval: false
+  has_rollback_plan: false
+  has_versioned_artifacts: false
+`,
+  ".ai-maintainer/incident-runbook.md": `# Incident Runbook
+
+## First Response
+
+- Identify current version and latest deploy.
+- Check error monitoring, logs, and recent migrations.
+- Decide whether rollback is safe.
+
+## User Decisions
+
+- Define who can approve rollback and user communication.
+`,
+  ".ai-maintainer/db-migration-policy.yml": `schema_version: 1
+database:
+  changes_use_migrations: true
+  destructive_changes_require_review: true
+  backup_before_production_migration: false
+  rollback_or_forward_fix_required: false
+`,
+  ".ai-maintainer/observability-checklist.yml": `schema_version: 1
+observability:
+  error_monitoring: false
+  structured_logs: false
+  metrics: false
+  alerts: false
+  release_tracking: false
+`,
+};
+
+function yamlTemplate(value) {
+  return YAML.stringify(value);
+}
+
+function safeWrite(root, relativePath, content, result) {
+  const full = path.join(root, ...relativePath.split("/"));
+  fs.mkdirSync(path.dirname(full), { recursive: true });
+  if (fs.existsSync(full)) {
+    result.skipped.push(relativePath);
+    return;
+  }
+  fs.writeFileSync(full, content);
+  result.created.push(relativePath);
+}
+
+export function initAudit(projectRoot) {
+  const root = path.resolve(projectRoot || process.cwd());
+  const result = { root, created: [], skipped: [] };
+
+  safeWrite(root, ".ai-maintainer/project-profile.yml", yamlTemplate(defaultProjectProfile), result);
+  safeWrite(root, ".ai-maintainer/evidence-sources.yml", yamlTemplate(defaultEvidenceSources), result);
+  safeWrite(root, ".ai-maintainer/business-flows.yml", yamlTemplate(defaultBusinessFlows), result);
+  safeWrite(root, ".ai-maintainer/risk-policy.yml", yamlTemplate(defaultRiskPolicy), result);
+  for (const [relativePath, content] of Object.entries(markdownTemplates)) safeWrite(root, relativePath, content, result);
+
+  return result;
+}
+
+function main() {
+  const projectRoot = process.argv.slice(2).find((arg) => !arg.startsWith("--")) || process.cwd();
+  console.log(JSON.stringify(initAudit(projectRoot), null, 2));
+}
+
+if (process.argv[1] && path.resolve(process.argv[1]) === fileURLToPath(import.meta.url)) {
+  main();
+}

package/ai-project-maintainer/scripts/init-project.mjs

@@ -0,0 +1,229 @@
+#!/usr/bin/env node
+import fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+const policyTemplate = `profile: oss
+mode: strict
+checks:
+  gitleaks: block
+  trivy: block
+  semgrep: block
+  osv-scanner: warn
+  syft: warn
+  grype: warn
+  actionlint: block
+  zizmor: warn
+  checkov: warn
+  trivy-config: warn
+  scorecard: warn
+  megalinter: warn
+  pre-commit: warn
+fail_on:
+  tests: true
+  secrets: true
+  dependency_high_or_critical: true
+  semgrep_blocking: true
+  trivy_unavailable: true
+  electron_dangerous_settings: true
+  ci_security_high: true
+warn_on:
+  dev_dependency_vulnerabilities: true
+  missing_optional_tools: true
+`;
+
+const exceptionsTemplate = `exceptions:
+  - id: "example-dev-only-vuln"
+    check: "npm audit"
+    reason: "dev-only transitive dependency, not shipped"
+    expires: "2026-09-01"
+    owner: "repo-owner"
+`;
+
+const workflowTemplate = `name: Security Gate
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - master
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+jobs:
+  security-gate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout project
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+
+      - name: Setup Go for scanner CLIs
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23"
+
+      - name: Install project dependencies
+        shell: bash
+        run: |
+          set -euo pipefail
+          if [ -f pnpm-lock.yaml ]; then
+            corepack enable
+            pnpm install --frozen-lockfile
+          elif [ -f yarn.lock ]; then
+            corepack enable
+            yarn install --immutable || yarn install --frozen-lockfile
+          elif [ -f bun.lock ] || [ -f bun.lockb ]; then
+            curl -fsSL https://bun.sh/install | bash
+            echo "$HOME/.bun/bin" >> "$GITHUB_PATH"
+            "$HOME/.bun/bin/bun" install --frozen-lockfile
+          elif [ -f package-lock.json ]; then
+            npm ci
+          elif [ -f package.json ]; then
+            npm install
+          fi
+
+      - name: Install security scanners
+        shell: bash
+        run: |
+          set -euo pipefail
+          mkdir -p "$HOME/.local/bin"
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+          echo "$HOME/go/bin" >> "$GITHUB_PATH"
+          python -m pip install --user semgrep zizmor checkov
+          go install github.com/gitleaks/gitleaks/v8@latest
+          go install github.com/google/osv-scanner/cmd/osv-scanner@latest
+          go install github.com/rhysd/actionlint/cmd/actionlint@latest
+          go install github.com/anchore/syft/cmd/syft@latest
+          go install github.com/anchore/grype/cmd/grype@latest
+          curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b "$HOME/.local/bin"
+
+      - name: Checkout AI Project Maintainer
+        shell: bash
+        run: |
+          set -euo pipefail
+          git clone --depth 1 https://github.com/xixifusi1213-gif/ai-project-maintainer.git "$RUNNER_TEMP/ai-project-maintainer"
+          cd "$RUNNER_TEMP/ai-project-maintainer"
+          npm ci --omit=dev || npm install --omit=dev
+
+      - name: Run security gate
+        shell: bash
+        run: |
+          set -euo pipefail
+          EXTRA_FLAGS=""
+          if [ -f ".ai-maintainer/project-profile.yml" ]; then
+            EXTRA_FLAGS="$EXTRA_FLAGS --production"
+          fi
+          node "$RUNNER_TEMP/ai-project-maintainer/ai-project-maintainer/scripts/run-local-gate.mjs" "$GITHUB_WORKSPACE" --strict --release $EXTRA_FLAGS --output reports/security-report.json
+
+      - name: Write gate summary
+        if: always()
+        shell: bash
+        run: |
+          if [ -f reports/security-report.md ]; then
+            cat reports/security-report.md >> "$GITHUB_STEP_SUMMARY"
+          fi
+
+      - name: Upload SARIF to code scanning
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: reports/security-report.sarif
+        continue-on-error: true
+
+      - name: Upload security reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: security-reports
+          path: |
+            reports/security-report.json
+            reports/security-report.md
+            reports/security-report.sarif
+            reports/sbom.cdx.json
+          if-no-files-found: ignore
+`;
+
+const dependabotTemplate = `version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+`;
+
+const preCommitTemplate = `repos:
+  - repo: local
+    hooks:
+      - id: ai-project-maintainer-local-gate
+        name: AI Project Maintainer local gate
+        entry: npx ai-project-maintainer gate .
+        language: system
+        pass_filenames: false
+`;
+
+function safeWrite(root, relativePath, content, result) {
+  const full = path.join(root, ...relativePath.split("/"));
+  fs.mkdirSync(path.dirname(full), { recursive: true });
+  if (fs.existsSync(full)) {
+    result.skipped.push(relativePath);
+    return;
+  }
+  fs.writeFileSync(full, content);
+  result.created.push(relativePath);
+}
+
+export function initProject(projectRoot, options = {}) {
+  const root = path.resolve(projectRoot || process.cwd());
+  const result = { root, created: [], skipped: [] };
+
+  safeWrite(root, ".ai-maintainer/policy.yml", policyTemplate, result);
+  safeWrite(root, ".ai-maintainer/exceptions.yml", exceptionsTemplate, result);
+  if ((options.ci || "github") === "github") {
+    safeWrite(root, ".github/workflows/security-gate.yml", workflowTemplate, result);
+    safeWrite(root, ".github/dependabot.yml", dependabotTemplate, result);
+  }
+  safeWrite(root, "reports/.gitkeep", "", result);
+  if (options.preCommit) {
+    safeWrite(root, ".pre-commit-config.yaml", preCommitTemplate, result);
+  }
+
+  return result;
+}
+
+function parseArgs(args) {
+  const readOption = (name, fallback) => {
+    const index = args.indexOf(name);
+    if (index !== -1) return args[index + 1] || fallback;
+    const inline = args.find((arg) => arg.startsWith(`${name}=`));
+    return inline ? inline.slice(name.length + 1) : fallback;
+  };
+  return {
+    projectRoot: args.find((arg) => !arg.startsWith("--")) || process.cwd(),
+    profile: readOption("--profile", "oss"),
+    ci: readOption("--ci", "github"),
+    preCommit: args.includes("--pre-commit"),
+  };
+}
+
+function main() {
+  const args = parseArgs(process.argv.slice(2));
+  const result = initProject(args.projectRoot, { profile: args.profile, ci: args.ci, preCommit: args.preCommit });
+  console.log(JSON.stringify(result, null, 2));
+}
+
+if (process.argv[1] && path.resolve(process.argv[1]) === fileURLToPath(import.meta.url)) {
+  main();
+}

package/ai-project-maintainer/scripts/lib/check-registry.mjs

@@ -0,0 +1,68 @@
+import {
+  runCiSecurityChecks,
+  runDatabaseChecks,
+  runElectronChecks,
+  runGrypeChecks,
+  runIacChecks,
+  runMegaLinterChecks,
+  runOsvScannerChecks,
+  runPackageAuditChecks,
+  runPreCommitChecks,
+  runSastChecks,
+  runScorecardChecks,
+  runSecretChecks,
+  runSyftChecks,
+  runTestChecks,
+  runTrivyFilesystemChecks,
+} from "./checks.mjs";
+
+const builtinCheckRegistry = [
+  { id: "tests", group: "tests", title: "Project tests and release scripts", requiredTools: ["npm", "pnpm", "yarn", "bun"], detect: (project) => Boolean(project.packageJson), run: ({ project, options }) => runTestChecks(project, options), defaultLevel: "block" },
+  { id: "package-audit", group: "dependencies", title: "Package manager production audit", requiredTools: ["npm", "pnpm", "yarn"], detect: (project) => Boolean(project.packageJson), run: ({ project, options }) => runPackageAuditChecks(project, options), defaultLevel: "block" },
+  { id: "gitleaks", group: "secrets", title: "Gitleaks secret scan", requiredTools: ["gitleaks"], detect: () => true, run: ({ project, options }) => runSecretChecks(project, options), defaultLevel: "block" },
+  { id: "trivy", group: "dependencies", title: "Trivy filesystem scan", requiredTools: ["trivy"], detect: () => true, run: ({ project, options }) => runTrivyFilesystemChecks(project, options), defaultLevel: "block" },
+  { id: "osv-scanner", group: "dependencies", title: "OSV-Scanner dependency scan", requiredTools: ["osv-scanner"], detect: (project) => (project.files || []).some((file) => /(^|\/)(package-lock\.json|pnpm-lock\.yaml|yarn\.lock|bun\.lockb?|go\.sum|requirements.*\.txt|poetry\.lock|Cargo\.lock|Gemfile\.lock)$/i.test(file)), run: ({ project, options }) => runOsvScannerChecks(project, options), defaultLevel: "warn" },
+  { id: "semgrep", group: "sast", title: "Semgrep static scan", requiredTools: ["semgrep"], detect: () => true, run: ({ project, options }) => runSastChecks(project, options), defaultLevel: "block" },
+  { id: "syft", group: "supply-chain", title: "Syft SBOM", requiredTools: ["syft"], detect: () => true, run: ({ project, options }) => runSyftChecks(project, options), defaultLevel: "warn" },
+  { id: "grype", group: "supply-chain", title: "Grype vulnerability scan", requiredTools: ["grype"], detect: () => true, run: ({ project, options }) => runGrypeChecks(project, options), defaultLevel: "warn" },
+  { id: "actionlint", group: "ci-security", title: "actionlint workflow lint", requiredTools: ["actionlint"], detect: (project) => (project.riskSurfaces?.ci || []).length > 0, run: ({ project, options }) => runCiSecurityChecks(project, options).filter((check) => check.checkId === "actionlint"), defaultLevel: "block" },
+  { id: "zizmor", group: "ci-security", title: "zizmor workflow security", requiredTools: ["zizmor"], detect: (project) => (project.riskSurfaces?.ci || []).length > 0, run: ({ project, options }) => runCiSecurityChecks(project, options).filter((check) => check.checkId === "zizmor"), defaultLevel: "warn" },
+  { id: "checkov", group: "iac", title: "Checkov IaC scan", requiredTools: ["checkov"], detect: (project) => (project.riskSurfaces?.infra || []).length > 0, run: ({ project, options }) => runIacChecks(project, options).filter((check) => check.checkId === "checkov" || check.checkId === "trivy-config"), defaultLevel: "warn" },
+  { id: "electron", group: "electron", title: "Electron baseline", requiredTools: [], detect: (project) => Boolean(project.electron?.detected), run: ({ project }) => runElectronChecks(project), defaultLevel: "block" },
+  { id: "database", group: "database", title: "Database migration review", requiredTools: ["squawk"], detect: (project) => (project.riskSurfaces?.database || []).length > 0, run: ({ project, options }) => runDatabaseChecks(project, options), defaultLevel: "block" },
+  { id: "scorecard", group: "oss-hygiene", title: "OpenSSF Scorecard", requiredTools: ["scorecard"], detect: () => true, run: ({ project, options }) => runScorecardChecks(project, options), defaultLevel: "warn" },
+  { id: "pre-commit", group: "oss-hygiene", title: "pre-commit hooks", requiredTools: ["pre-commit"], detect: () => true, run: ({ project, options }) => runPreCommitChecks(project, options), defaultLevel: "warn" },
+  { id: "megalinter", group: "oss-hygiene", title: "MegaLinter security profile", requiredTools: ["mega-linter-runner"], detect: () => true, run: ({ project, options }) => runMegaLinterChecks(project, options), defaultLevel: "warn" },
+];
+
+export function getBuiltinCheckRegistry() {
+  return builtinCheckRegistry.map((check) => ({ ...check }));
+}
+
+export function resolveEnabledChecks(registry, policy = {}) {
+  const configuredLevels = policy.checks || {};
+  return registry
+    .map((check) => ({ ...check, level: configuredLevels[check.id] || check.defaultLevel }))
+    .filter((check) => check.level !== "off");
+}
+
+export function runRegisteredChecks(project, options = {}) {
+  const policy = options.policy || {};
+  const registry = options.registry || getBuiltinCheckRegistry();
+  const enabledChecks = resolveEnabledChecks(registry, policy);
+  const results = [];
+
+  for (const definition of enabledChecks) {
+    if (!definition.detect(project, options)) continue;
+    const checks = definition.run({ project, options, definition });
+    for (const check of checks) {
+      results.push({
+        checkId: check.checkId || definition.id,
+        policyLevel: definition.level,
+        ...check,
+      });
+    }
+  }
+
+  return results;
+}