antigravity-devkit 1.0.2 → 1.0.4

package/template/scripts/security_scan.py

@@ -1,354 +0,0 @@
-#!/usr/bin/env python3
-"""
-Security Scanner - Security vulnerability detection and analysis
-Used by security-auditor agent to scan for security issues.
-
-Usage:
-    python security_scan.py <project_path>
-    python security_scan.py <project_path> --severity high
-"""
-
-import subprocess
-import sys
-import re
-import json
-from pathlib import Path
-from typing import Tuple, Dict, Any, List
-
-
-def run_command(cmd: list[str], cwd: str = ".") -> Tuple[int, str]:
-    """Run a command and return exit code and output."""
-    try:
-        result = subprocess.run(
-            cmd,
-            cwd=cwd,
-            capture_output=True,
-            text=True,
-            timeout=300
-        )
-        return result.returncode, result.stdout + result.stderr
-    except subprocess.TimeoutExpired:
-        return 1, "Command timed out after 5 minutes"
-    except FileNotFoundError:
-        return 1, f"Command not found: {cmd[0]}"
-
-
-def scan_hardcoded_secrets(project_path: str) -> List[Dict[str, str]]:
-    """Scan for hardcoded secrets and credentials."""
-    findings = []
-    path = Path(project_path)
-    
-    # Patterns to search for
-    secret_patterns = {
-        'password': r'password\s*=\s*["\'](?!.*\{.*\})([^"\']+)["\']',
-        'api_key': r'(api[_-]?key|apikey)\s*[=:]\s*["\']([^"\']+)["\']',
-        'secret': r'secret\s*[=:]\s*["\'](?!.*\{.*\})([^"\']+)["\']',
-        'token': r'(access[_-]?token|auth[_-]?token)\s*[=:]\s*["\']([^"\']+)["\']',
-        'connection_string': r'(connectionstring|connection[_-]string)\s*[=:]\s*["\'](?!.*\{.*\})([^"\']+)["\']',
-        'private_key': r'(private[_-]?key|privatekey)\s*[=:]\s*["\']([^"\']+)["\']',
-    }
-    
-    # File extensions to scan
-    extensions = ['.cs', '.ts', '.js', '.vue', '.json', '.config', '.yaml', '.yml']
-    
-    for ext in extensions:
-        for file_path in path.glob(f"**/*{ext}"):
-            # Skip node_modules, bin, obj directories
-            if any(skip in str(file_path) for skip in ['node_modules', 'bin', 'obj', '.git']):
-                continue
-            
-            try:
-                with open(file_path, 'r', encoding='utf-8', errors='ignore') as f:
-                    content = f.read()
-                    
-                    for pattern_name, pattern in secret_patterns.items():
-                        matches = re.finditer(pattern, content, re.IGNORECASE)
-                        for match in matches:
-                            # Skip if it looks like a placeholder or environment variable
-                            matched_value = match.group(0)
-                            if any(skip in matched_value.lower() for skip in ['example', 'placeholder', 'your_', 'xxx', '***', 'env.']):
-                                continue
-                            
-                            findings.append({
-                                'type': pattern_name,
-                                'file': str(file_path.relative_to(path)),
-                                'line': content[:match.start()].count('\n') + 1,
-                                'severity': 'HIGH',
-                                'message': f'Potential hardcoded {pattern_name.replace("_", " ")}'
-                            })
-            except Exception:
-                continue
-    
-    return findings
-
-
-def scan_npm_vulnerabilities(project_path: str) -> List[Dict[str, str]]:
-    """Scan npm packages for known vulnerabilities."""
-    findings = []
-    package_json = Path(project_path) / "package.json"
-    
-    if not package_json.exists():
-        return findings
-    
-    # Run npm audit
-    code, output = run_command(["npm", "audit", "--json"], project_path)
-    
-    try:
-        audit_data = json.loads(output)
-        
-        # Parse vulnerabilities
-        if 'vulnerabilities' in audit_data:
-            for pkg_name, vuln_info in audit_data['vulnerabilities'].items():
-                severity = vuln_info.get('severity', 'unknown').upper()
-                
-                findings.append({
-                    'type': 'npm_vulnerability',
-                    'file': 'package.json',
-                    'package': pkg_name,
-                    'severity': severity,
-                    'message': f"{pkg_name}: {vuln_info.get('via', ['Unknown issue'])[0] if isinstance(vuln_info.get('via'), list) else 'Vulnerability detected'}"
-                })
-    except json.JSONDecodeError:
-        # Fallback to text parsing
-        if 'vulnerabilities' in output.lower():
-            findings.append({
-                'type': 'npm_vulnerability',
-                'file': 'package.json',
-                'severity': 'UNKNOWN',
-                'message': 'npm audit found vulnerabilities (run npm audit for details)'
-            })
-    
-    return findings
-
-
-def scan_dotnet_vulnerabilities(project_path: str) -> List[Dict[str, str]]:
-    """Scan .NET packages for known vulnerabilities."""
-    findings = []
-    
-    # Check if dotnet is available
-    code, _ = run_command(["dotnet", "--version"])
-    if code != 0:
-        return findings
-    
-    # Run dotnet list package --vulnerable
-    code, output = run_command(["dotnet", "list", "package", "--vulnerable"], project_path)
-    
-    if code == 0 and output:
-        lines = output.split('\n')
-        for line in lines:
-            if 'vulnerable' in line.lower() or 'severity' in line.lower():
-                findings.append({
-                    'type': 'nuget_vulnerability',
-                    'file': 'packages',
-                    'severity': 'MEDIUM',
-                    'message': line.strip()
-                })
-    
-    return findings
-
-
-def scan_insecure_patterns(project_path: str) -> List[Dict[str, str]]:
-    """Scan for insecure coding patterns."""
-    findings = []
-    path = Path(project_path)
-    
-    insecure_patterns = {
-        'sql_injection': {
-            'pattern': r'(ExecuteRawSql|FromSqlRaw|ExecuteSqlCommand)\s*\([^)]*\+',
-            'message': 'Potential SQL injection - avoid string concatenation in SQL queries',
-            'severity': 'HIGH'
-        },
-        'xss': {
-            'pattern': r'innerHTML\s*=\s*(?!["\']\s*["\'])',
-            'message': 'Potential XSS vulnerability - avoid innerHTML with user input',
-            'severity': 'HIGH'
-        },
-        'weak_crypto': {
-            'pattern': r'(MD5|SHA1)\.Create\(',
-            'message': 'Weak cryptographic algorithm - use SHA256 or stronger',
-            'severity': 'MEDIUM'
-        },
-        'eval_usage': {
-            'pattern': r'\beval\s*\(',
-            'message': 'Dangerous eval() usage - avoid evaluating dynamic code',
-            'severity': 'HIGH'
-        },
-        'http_not_https': {
-            'pattern': r'http://(?!localhost|127\.0\.0\.1)',
-            'message': 'HTTP URL detected - use HTTPS for external resources',
-            'severity': 'MEDIUM'
-        }
-    }
-    
-    extensions = ['.cs', '.ts', '.js', '.vue']
-    
-    for ext in extensions:
-        for file_path in path.glob(f"**/*{ext}"):
-            if any(skip in str(file_path) for skip in ['node_modules', 'bin', 'obj', '.git']):
-                continue
-            
-            try:
-                with open(file_path, 'r', encoding='utf-8', errors='ignore') as f:
-                    content = f.read()
-                    
-                    for pattern_name, pattern_info in insecure_patterns.items():
-                        matches = re.finditer(pattern_info['pattern'], content, re.IGNORECASE)
-                        for match in matches:
-                            findings.append({
-                                'type': pattern_name,
-                                'file': str(file_path.relative_to(path)),
-                                'line': content[:match.start()].count('\n') + 1,
-                                'severity': pattern_info['severity'],
-                                'message': pattern_info['message']
-                            })
-            except Exception:
-                continue
-    
-    return findings
-
-
-def check_security_headers(project_path: str) -> List[Dict[str, str]]:
-    """Check for security header configurations."""
-    findings = []
-    path = Path(project_path)
-    
-    # Check for ASP.NET security configurations
-    startup_files = list(path.glob("**/Startup.cs")) + list(path.glob("**/Program.cs"))
-    
-    for startup_file in startup_files:
-        try:
-            with open(startup_file, 'r', encoding='utf-8') as f:
-                content = f.read()
-                
-                # Check for HSTS
-                if 'UseHsts' not in content:
-                    findings.append({
-                        'type': 'missing_hsts',
-                        'file': str(startup_file.relative_to(path)),
-                        'severity': 'MEDIUM',
-                        'message': 'HSTS not configured - add app.UseHsts()'
-                    })
-                
-                # Check for HTTPS redirection
-                if 'UseHttpsRedirection' not in content:
-                    findings.append({
-                        'type': 'missing_https_redirect',
-                        'file': str(startup_file.relative_to(path)),
-                        'severity': 'MEDIUM',
-                        'message': 'HTTPS redirection not configured'
-                    })
-        except Exception:
-            continue
-    
-    return findings
-
-
-def format_report(all_findings: List[Dict[str, str]], severity_filter: str = None) -> Tuple[str, int]:
-    """Format security scan report."""
-    # Filter by severity if specified
-    if severity_filter:
-        all_findings = [f for f in all_findings if f['severity'] == severity_filter.upper()]
-    
-    # Group by severity
-    by_severity = {'HIGH': [], 'MEDIUM': [], 'LOW': [], 'UNKNOWN': []}
-    for finding in all_findings:
-        severity = finding.get('severity', 'UNKNOWN')
-        by_severity[severity].append(finding)
-    
-    report = []
-    report.append("=" * 60)
-    report.append("🔒 SECURITY SCAN REPORT")
-    report.append("=" * 60)
-    
-    report.append("")
-    report.append("📊 Summary:")
-    report.append(f"  Total findings: {len(all_findings)}")
-    report.append(f"  HIGH:    {len(by_severity['HIGH'])} 🔴")
-    report.append(f"  MEDIUM:  {len(by_severity['MEDIUM'])} 🟡")
-    report.append(f"  LOW:     {len(by_severity['LOW'])} 🟢")
-    
-    # Report HIGH severity issues
-    if by_severity['HIGH']:
-        report.append("")
-        report.append("🔴 HIGH Severity Issues:")
-        for finding in by_severity['HIGH'][:15]:
-            report.append(f"  • {finding['file']}:{finding.get('line', '?')}")
-            report.append(f"    {finding['message']}")
-        if len(by_severity['HIGH']) > 15:
-            report.append(f"  ... and {len(by_severity['HIGH']) - 15} more")
-    
-    # Report MEDIUM severity issues
-    if by_severity['MEDIUM']:
-        report.append("")
-        report.append("🟡 MEDIUM Severity Issues:")
-        for finding in by_severity['MEDIUM'][:10]:
-            report.append(f"  • {finding['file']}:{finding.get('line', '?')}")
-            report.append(f"    {finding['message']}")
-        if len(by_severity['MEDIUM']) > 10:
-            report.append(f"  ... and {len(by_severity['MEDIUM']) - 10} more")
-    
-    report.append("")
-    report.append("=" * 60)
-    
-    # Determine exit code
-    if by_severity['HIGH']:
-        report.append("❌ Security scan failed - HIGH severity issues found")
-        return "\n".join(report), 1
-    elif by_severity['MEDIUM']:
-        report.append("⚠️  Security scan completed with warnings")
-        return "\n".join(report), 0
-    else:
-        report.append("✅ No security issues found")
-        return "\n".join(report), 0
-
-
-def main():
-    if len(sys.argv) < 2:
-        print("Usage: python security_scan.py <project_path> [--severity high|medium|low]")
-        sys.exit(1)
-    
-    project_path = sys.argv[1]
-    severity_filter = None
-    
-    if "--severity" in sys.argv:
-        sev_index = sys.argv.index("--severity") + 1
-        if sev_index < len(sys.argv):
-            severity_filter = sys.argv[sev_index]
-    
-    print("🔒 Security Scanner")
-    print("=" * 60)
-    print(f"Project: {project_path}")
-    if severity_filter:
-        print(f"Severity filter: {severity_filter.upper()}")
-    print()
-    
-    all_findings = []
-    
-    # Run scans
-    print("Scanning for hardcoded secrets...")
-    all_findings.extend(scan_hardcoded_secrets(project_path))
-    
-    print("Scanning npm vulnerabilities...")
-    all_findings.extend(scan_npm_vulnerabilities(project_path))
-    
-    print("Scanning .NET vulnerabilities...")
-    all_findings.extend(scan_dotnet_vulnerabilities(project_path))
-    
-    print("Scanning for insecure patterns...")
-    all_findings.extend(scan_insecure_patterns(project_path))
-    
-    print("Checking security headers...")
-    all_findings.extend(check_security_headers(project_path))
-    
-    print()
-    print("-" * 60)
-    
-    # Generate and print report
-    report, exit_code = format_report(all_findings, severity_filter)
-    print(report)
-    
-    sys.exit(exit_code)
-
-
-if __name__ == "__main__":
-    main()

package/template/scripts/verify_all.py

@@ -1,243 +0,0 @@
-#!/usr/bin/env python3
-"""
-Verify All - Comprehensive project verification
-Run before deployment or releases.
-
-Usage:
-    python .agent-antigravity/scripts/verify_all.py .
-    python .agent-antigravity/scripts/verify_all.py . --url http://localhost:3000
-"""
-
-import subprocess
-import sys
-import os
-from pathlib import Path
-from datetime import datetime
-
-
-def run_command(cmd: list[str], cwd: str = ".") -> tuple[int, str]:
-    """Run a command and return exit code and output."""
-    try:
-        result = subprocess.run(
-            cmd,
-            cwd=cwd,
-            capture_output=True,
-            text=True,
-            timeout=600
-        )
-        return result.returncode, result.stdout + result.stderr
-    except subprocess.TimeoutExpired:
-        return 1, "Command timed out"
-    except FileNotFoundError:
-        return 1, f"Command not found: {cmd[0]}"
-
-
-class Verifier:
-    def __init__(self, project_path: str, url: str = None):
-        self.project_path = project_path
-        self.url = url
-        self.results = []
-    
-    def add_result(self, category: str, name: str, passed: bool, details: str = ""):
-        self.results.append({
-            "category": category,
-            "name": name,
-            "passed": passed,
-            "details": details
-        })
-    
-    def run_all(self):
-        """Run all verification checks."""
-        print("=" * 70)
-        print("COMPREHENSIVE PROJECT VERIFICATION")
-        print(f"Started: {datetime.now().isoformat()}")
-        print("=" * 70)
-        
-        self.verify_security()
-        self.verify_code_quality()
-        self.verify_tests()
-        self.verify_build()
-        self.verify_dependencies()
-        
-        if self.url:
-            self.verify_runtime(self.url)
-        
-        self.print_summary()
-    
-    def verify_security(self):
-        """Security verification."""
-        print("\n[SECURITY]")
-        
-        # Check for secrets
-        secret_patterns = [
-            ("password", "password="),
-            ("api_key", "apikey="),
-            ("secret", "secret="),
-            ("connection_string", "connectionstring="),
-        ]
-        
-        for name, pattern in secret_patterns:
-            code, output = run_command(
-                ["grep", "-ri", pattern, "--include=*.cs", "--include=*.ts"],
-                self.project_path
-            )
-            passed = code != 0 or not output.strip()
-            self.add_result("Security", f"No hardcoded {name}", passed)
-            print(f"  {'✅' if passed else '❌'} No hardcoded {name}")
-        
-        # npm audit
-        package_json = Path(self.project_path) / "package.json"
-        if package_json.exists():
-            code, output = run_command(["npm", "audit", "--audit-level=critical"], self.project_path)
-            passed = code == 0
-            self.add_result("Security", "npm audit (critical)", passed, output[:200])
-            print(f"  {'✅' if passed else '❌'} npm audit (critical)")
-    
-    def verify_code_quality(self):
-        """Code quality verification."""
-        print("\n[CODE QUALITY]")
-        
-        # Frontend lint
-        package_json = Path(self.project_path) / "package.json"
-        if package_json.exists():
-            code, output = run_command(["npm", "run", "lint"], self.project_path)
-            passed = code == 0
-            self.add_result("Code Quality", "Frontend lint", passed)
-            print(f"  {'✅' if passed else '❌'} Frontend lint")
-            
-            # TypeScript
-            code, output = run_command(["npx", "tsc", "--noEmit"], self.project_path)
-            passed = code == 0
-            self.add_result("Code Quality", "TypeScript check", passed)
-            print(f"  {'✅' if passed else '❌'} TypeScript check")
-        
-        # Backend lint (if applicable)
-        csproj_files = list(Path(self.project_path).glob("**/*.csproj"))
-        if csproj_files:
-            code, output = run_command(["dotnet", "format", "--verify-no-changes"], self.project_path)
-            passed = code == 0
-            self.add_result("Code Quality", "C# formatting", passed)
-            print(f"  {'✅' if passed else '❌'} C# formatting")
-    
-    def verify_tests(self):
-        """Test verification."""
-        print("\n[TESTS]")
-        
-        # Frontend tests
-        package_json = Path(self.project_path) / "package.json"
-        if package_json.exists():
-            code, output = run_command(["npm", "run", "test", "--", "--run"], self.project_path)
-            passed = code == 0
-            self.add_result("Tests", "Frontend tests", passed)
-            print(f"  {'✅' if passed else '❌'} Frontend tests")
-        
-        # Backend tests
-        sln_files = list(Path(self.project_path).glob("*.sln"))
-        if sln_files:
-            code, output = run_command(["dotnet", "test"], self.project_path)
-            passed = code == 0
-            self.add_result("Tests", "Backend tests", passed)
-            print(f"  {'✅' if passed else '❌'} Backend tests")
-    
-    def verify_build(self):
-        """Build verification."""
-        print("\n[BUILD]")
-        
-        # Frontend build
-        package_json = Path(self.project_path) / "package.json"
-        if package_json.exists():
-            code, output = run_command(["npm", "run", "build"], self.project_path)
-            passed = code == 0
-            self.add_result("Build", "Frontend build", passed)
-            print(f"  {'✅' if passed else '❌'} Frontend build")
-        
-        # Backend build
-        sln_files = list(Path(self.project_path).glob("*.sln"))
-        if sln_files:
-            code, output = run_command(["dotnet", "build", "-c", "Release"], self.project_path)
-            passed = code == 0
-            self.add_result("Build", "Backend build", passed)
-            print(f"  {'✅' if passed else '❌'} Backend build")
-    
-    def verify_dependencies(self):
-        """Dependency verification."""
-        print("\n[DEPENDENCIES]")
-        
-        # npm outdated
-        package_json = Path(self.project_path) / "package.json"
-        if package_json.exists():
-            code, output = run_command(["npm", "outdated"], self.project_path)
-            # outdated returns 1 if there are outdated packages
-            self.add_result("Dependencies", "npm packages", True, "Check npm outdated for details")
-            print(f"  ℹ️  npm outdated check complete")
-        
-        # dotnet outdated (if tool installed)
-        sln_files = list(Path(self.project_path).glob("*.sln"))
-        if sln_files:
-            code, output = run_command(["dotnet", "list", "package", "--outdated"], self.project_path)
-            self.add_result("Dependencies", "NuGet packages", True, "Check dotnet list package for details")
-            print(f"  ℹ️  NuGet outdated check complete")
-    
-    def verify_runtime(self, url: str):
-        """Runtime verification (if URL provided)."""
-        print("\n[RUNTIME]")
-        
-        # Health check
-        code, output = run_command(["curl", "-s", "-o", "/dev/null", "-w", "%{http_code}", f"{url}/health"])
-        passed = output.strip() == "200"
-        self.add_result("Runtime", "Health check", passed)
-        print(f"  {'✅' if passed else '❌'} Health check")
-    
-    def print_summary(self):
-        """Print verification summary."""
-        print("\n" + "=" * 70)
-        print("VERIFICATION SUMMARY")
-        print("=" * 70)
-        
-        categories = {}
-        for r in self.results:
-            cat = r["category"]
-            if cat not in categories:
-                categories[cat] = []
-            categories[cat].append(r)
-        
-        total_passed = 0
-        total_count = 0
-        
-        for cat, items in categories.items():
-            print(f"\n{cat}:")
-            for item in items:
-                status = "✅" if item["passed"] else "❌"
-                print(f"  {status} {item['name']}")
-                total_count += 1
-                if item["passed"]:
-                    total_passed += 1
-        
-        print("\n" + "-" * 70)
-        print(f"Total: {total_passed}/{total_count} checks passed")
-        
-        if total_passed < total_count:
-            print("\n❌ Some checks failed. Review and fix before deployment.")
-            sys.exit(1)
-        else:
-            print("\n✅ All checks passed! Ready for deployment.")
-
-
-def main():
-    if len(sys.argv) < 2:
-        print("Usage: python verify_all.py <project_path> [--url <url>]")
-        sys.exit(1)
-    
-    project_path = sys.argv[1]
-    url = None
-    if "--url" in sys.argv:
-        url_index = sys.argv.index("--url") + 1
-        if url_index < len(sys.argv):
-            url = sys.argv[url_index]
-    
-    verifier = Verifier(project_path, url)
-    verifier.run_all()
-
-
-if __name__ == "__main__":
-    main()