archrisk-engine 1.0.1 → 1.0.2

package/dist/index.d.ts

@@ -3,3 +3,4 @@ export * from './aiDiagnosis.js';
 export * from './archScanner.js';
 export * from './repoAnalyzer.js';
 export * from './deepAnalysis.js';
+export * from './jsAnalyzer.js';

package/dist/index.js

@@ -19,3 +19,4 @@ __exportStar(require("./aiDiagnosis.js"), exports);
 __exportStar(require("./archScanner.js"), exports);
 __exportStar(require("./repoAnalyzer.js"), exports);
 __exportStar(require("./deepAnalysis.js"), exports);
+__exportStar(require("./jsAnalyzer.js"), exports);

package/dist/jsAnalyzer.d.ts

@@ -0,0 +1,8 @@
+import { AnalysisResult } from './analyzer.js';
+/**
+ * [The Eye] JS/TS Analysis Engine
+ *
+ * RegEx-based static analysis for JavaScript/TypeScript files.
+ * MVP: Focused on 8 specific credibility rules.
+ */
+export declare function analyzeJsTsCode(code: string, fileName: string): Promise<AnalysisResult>;

package/dist/jsAnalyzer.js

@@ -0,0 +1,129 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.analyzeJsTsCode = analyzeJsTsCode;
+/**
+ * [The Eye] JS/TS Analysis Engine
+ *
+ * RegEx-based static analysis for JavaScript/TypeScript files.
+ * MVP: Focused on 8 specific credibility rules.
+ */
+async function analyzeJsTsCode(code, fileName) {
+    // 1. Architecture Health Scan (God Module / Large File)
+    const lines = code.split('\n');
+    if (lines.length > 800) {
+        return {
+            hasError: true,
+            error: `Large File Risk: ${lines.length} lines. Maintanability risk.`,
+            line: 1,
+            type: 'ProductionRisk',
+            file: fileName
+        };
+    }
+    // 2. Risk Scan (Security & Production Readiness)
+    const riskResult = scanForJsRisks(code, fileName, lines);
+    if (riskResult.hasError) {
+        return riskResult;
+    }
+    return { hasError: false };
+}
+function scanForJsRisks(code, fileName, lines) {
+    const risks = [
+        // Critical (🔴) - Security
+        {
+            pattern: /eval\s*\(|new\s+Function\s*\(/,
+            type: 'SecurityRisk',
+            message: '[Security] Dynamic code execution detected (eval/new Function). This is a severe security risk.'
+        },
+        {
+            pattern: /child_process\.(exec|execSync)\s*\(/,
+            type: 'SecurityRisk',
+            message: '[Security] Shell command execution detected. Ensure inputs are sanitized or use spawn without shell.'
+        },
+        {
+            pattern: /spawn\s*\(.*,\s*\{.*shell:\s*true/s, // Multi-line match attempt with DOTALL flag simulated or just simple check
+            type: 'SecurityRisk',
+            message: '[Security] spawn with { shell: true } detected. This enables shell command injection.'
+        },
+        {
+            pattern: /(?:api[._-]?key|password|secret|token)\s*[:=]\s*['"][a-zA-Z0-9_-]{10,}['"]/i,
+            type: 'SecurityRisk',
+            message: '[Security] Hardcoded secret detected. Use environment variables.'
+        },
+        // Warning (🟡) - Production Readiness
+        {
+            condition: (l) => /(axios(\.[a-z]+)?|fetch|http\.(get|request))\s*\(/.test(l) && !/timeout/.test(l),
+            type: 'ProductionRisk',
+            message: '[Reliability] HTTP call missing explicit timeout. This can cause cascading failures.'
+        },
+        // Heuristic: App listen but no global error handler (simplified: check for generic app.use((err... pattern)
+        {
+            condition: (c) => c.includes('app.listen') && !/app\.use\s*\(\s*\(\s*err/.test(c),
+            type: 'ProductionRisk',
+            message: '[Reliability] Express app detected but Global Error Handler missing. Unhandled errors may crash the server.'
+        },
+        {
+            pattern: /console\.log\s*\(/,
+            type: 'ProductionRisk',
+            message: '[Observability] console.log used in production code. Use a structured logger (winston/pino).'
+        }
+    ];
+    // Line-based checks
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const risk of risks) {
+            // Pattern check
+            if (risk.pattern && risk.pattern.test(line)) {
+                // Skip comments for simple cases
+                if (line.trim().startsWith('//') || line.trim().startsWith('*'))
+                    continue;
+                return {
+                    hasError: true,
+                    error: risk.message,
+                    line: i + 1,
+                    type: risk.type,
+                    file: fileName
+                };
+            }
+            // Line-based Condition check (special case for timeout)
+            // We distinguish global vs line condition by context? 
+            // The 'app.listen' check is clearly global (checks whole code).
+            // The 'timeout' check is clearly line based (checks 'l').
+            // Let's rely on the message content to know if it is line-based for MVP simplicity
+            if (risk.condition && risk.message.includes('HTTP missing timeout') && risk.condition(line)) {
+                if (line.trim().startsWith('//') || line.trim().startsWith('*'))
+                    continue;
+                return {
+                    hasError: true,
+                    error: risk.message,
+                    line: i + 1,
+                    type: risk.type,
+                    file: fileName
+                };
+            }
+        }
+    }
+    // File-based checks (Global patterns)
+    for (const risk of risks) {
+        // Global Condition check
+        if (risk.condition && !risk.message.includes('HTTP missing timeout') && risk.condition(code)) {
+            return {
+                hasError: true,
+                error: risk.message,
+                line: 0,
+                type: risk.type,
+                file: fileName
+            };
+        }
+        // Multi-line regex checks
+        if (risk.pattern && risk.pattern.flags.includes('s') && risk.pattern.test(code)) {
+            return {
+                hasError: true,
+                error: risk.message,
+                line: 0,
+                type: risk.type,
+                file: fileName
+            };
+        }
+    }
+    return { hasError: false };
+}

package/dist/repoAnalyzer.js

@@ -39,6 +39,7 @@ const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const child_process_1 = require("child_process");
 const analyzer_js_1 = require("./analyzer.js");
+const jsAnalyzer_js_1 = require("./jsAnalyzer.js");
 const archScanner_js_1 = require("./archScanner.js");
 /**
  * CEO-ready "Business Translation" for technical risks
@@ -305,6 +306,30 @@ async function analyzeRepository(repoPath, resultsDir) {
             console.error(`Error analyzing ${f}:`, e);
         }
     }
+    // 2.1 Code Level Analysis (JS/TS logic)
+    for (const f of files.filter(f => /\.(js|ts|jsx|tsx)$/.test(f))) {
+        try {
+            const code = fs.readFileSync(f, 'utf8');
+            const relativePath = path.relative(repoPath, f);
+            // Logging Check (Simple console.log check is in rules, but here specific frameworks?)
+            // We rely on rules for now.
+            const result = await (0, jsAnalyzer_js_1.analyzeJsTsCode)(code, relativePath);
+            if (result.hasError) {
+                const details = getAuditDetails('RR-SEC-002', result.type || 'Error', result.error || 'Unknown Issue'); // Use SEC-002 for JS? Or reuse.
+                findings.push({
+                    file: relativePath,
+                    line: result.line || 0,
+                    type: result.type || 'Error',
+                    ...details
+                });
+                if (result.type === 'SecurityRisk')
+                    criticalCount++;
+            }
+        }
+        catch (e) {
+            console.error(`Error analyzing ${f}:`, e);
+        }
+    }
     if (!hasLogging && files.filter(f => f.endsWith('.py')).length > 0) {
         const details = getAuditDetails('RR-LOG-001', 'ProductionRisk', '');
         findings.push({ file: 'Repository Root', line: 0, type: 'ProductionRisk', ...details });

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "archrisk-engine",
-    "version": "1.0.1",
+    "version": "1.0.2",
     "main": "dist/index.js",
     "types": "dist/index.d.ts",
     "scripts": {

package/src/index.ts

@@ -3,3 +3,4 @@ export * from './aiDiagnosis.js';
 export * from './archScanner.js';
 export * from './repoAnalyzer.js';
 export * from './deepAnalysis.js';
+export * from './jsAnalyzer.js';

package/src/jsAnalyzer.ts

@@ -0,0 +1,143 @@
+import { AnalysisResult } from './analyzer.js';
+
+/**
+ * [The Eye] JS/TS Analysis Engine
+ * 
+ * RegEx-based static analysis for JavaScript/TypeScript files.
+ * MVP: Focused on 8 specific credibility rules.
+ */
+
+export async function analyzeJsTsCode(code: string, fileName: string): Promise<AnalysisResult> {
+    // 1. Architecture Health Scan (God Module / Large File)
+    const lines = code.split('\n');
+    if (lines.length > 800) {
+        return {
+            hasError: true,
+            error: `Large File Risk: ${lines.length} lines. Maintanability risk.`,
+            line: 1,
+            type: 'ProductionRisk',
+            file: fileName
+        };
+    }
+
+    // 2. Risk Scan (Security & Production Readiness)
+    const riskResult = scanForJsRisks(code, fileName, lines);
+    if (riskResult.hasError) {
+        return riskResult;
+    }
+
+    return { hasError: false };
+}
+
+interface RiskRule {
+    pattern?: RegExp;
+    condition?: (codeOrLine: string) => boolean;
+    type: string;
+    message: string;
+}
+
+function scanForJsRisks(code: string, fileName: string, lines: string[]): AnalysisResult {
+    const risks: RiskRule[] = [
+        // Critical (🔴) - Security
+        {
+            pattern: /eval\s*\(|new\s+Function\s*\(/,
+            type: 'SecurityRisk',
+            message: '[Security] Dynamic code execution detected (eval/new Function). This is a severe security risk.'
+        },
+        {
+            pattern: /child_process\.(exec|execSync)\s*\(/,
+            type: 'SecurityRisk',
+            message: '[Security] Shell command execution detected. Ensure inputs are sanitized or use spawn without shell.'
+        },
+        {
+            pattern: /spawn\s*\(.*,\s*\{.*shell:\s*true/s, // Multi-line match attempt with DOTALL flag simulated or just simple check
+            type: 'SecurityRisk',
+            message: '[Security] spawn with { shell: true } detected. This enables shell command injection.'
+        },
+        {
+            pattern: /(?:api[._-]?key|password|secret|token)\s*[:=]\s*['"][a-zA-Z0-9_-]{10,}['"]/i,
+            type: 'SecurityRisk',
+            message: '[Security] Hardcoded secret detected. Use environment variables.'
+        },
+
+        // Warning (🟡) - Production Readiness
+        {
+            condition: (l) => /(axios(\.[a-z]+)?|fetch|http\.(get|request))\s*\(/.test(l) && !/timeout/.test(l),
+            type: 'ProductionRisk',
+            message: '[Reliability] HTTP call missing explicit timeout. This can cause cascading failures.'
+        },
+        // Heuristic: App listen but no global error handler (simplified: check for generic app.use((err... pattern)
+        {
+            condition: (c) => c.includes('app.listen') && !/app\.use\s*\(\s*\(\s*err/.test(c),
+            type: 'ProductionRisk',
+            message: '[Reliability] Express app detected but Global Error Handler missing. Unhandled errors may crash the server.'
+        },
+        {
+            pattern: /console\.log\s*\(/,
+            type: 'ProductionRisk',
+            message: '[Observability] console.log used in production code. Use a structured logger (winston/pino).'
+        }
+    ];
+
+    // Line-based checks
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const risk of risks) {
+            // Pattern check
+            if (risk.pattern && risk.pattern.test(line)) {
+                // Skip comments for simple cases
+                if (line.trim().startsWith('//') || line.trim().startsWith('*')) continue;
+
+                return {
+                    hasError: true,
+                    error: risk.message,
+                    line: i + 1,
+                    type: risk.type,
+                    file: fileName
+                };
+            }
+
+            // Line-based Condition check (special case for timeout)
+            // We distinguish global vs line condition by context? 
+            // The 'app.listen' check is clearly global (checks whole code).
+            // The 'timeout' check is clearly line based (checks 'l').
+            // Let's rely on the message content to know if it is line-based for MVP simplicity
+            if (risk.condition && risk.message.includes('HTTP missing timeout') && risk.condition(line)) {
+                if (line.trim().startsWith('//') || line.trim().startsWith('*')) continue;
+                return {
+                    hasError: true,
+                    error: risk.message,
+                    line: i + 1,
+                    type: risk.type,
+                    file: fileName
+                };
+            }
+        }
+    }
+
+    // File-based checks (Global patterns)
+    for (const risk of risks) {
+        // Global Condition check
+        if (risk.condition && !risk.message.includes('HTTP missing timeout') && risk.condition(code)) {
+            return {
+                hasError: true,
+                error: risk.message,
+                line: 0,
+                type: risk.type,
+                file: fileName
+            };
+        }
+        // Multi-line regex checks
+        if (risk.pattern && risk.pattern.flags.includes('s') && risk.pattern.test(code)) {
+            return {
+                hasError: true,
+                error: risk.message,
+                line: 0,
+                type: risk.type,
+                file: fileName
+            };
+        }
+    }
+
+    return { hasError: false };
+}

package/src/repoAnalyzer.ts

@@ -2,6 +2,7 @@ import * as fs from 'fs';
 import * as path from 'path';
 import { execSync } from 'child_process';
 import { analyzePythonCode, AnalysisResult } from './analyzer.js';
+import { analyzeJsTsCode } from './jsAnalyzer.js';
 import { depsScan } from './archScanner.js';
 
 export interface RepoAnalysisResult {
@@ -314,6 +315,33 @@ export async function analyzeRepository(repoPath: string, resultsDir?: string):
         }
     }
 
+    // 2.1 Code Level Analysis (JS/TS logic)
+    for (const f of files.filter(f => /\.(js|ts|jsx|tsx)$/.test(f))) {
+        try {
+            const code = fs.readFileSync(f, 'utf8');
+            const relativePath = path.relative(repoPath, f);
+
+            // Logging Check (Simple console.log check is in rules, but here specific frameworks?)
+            // We rely on rules for now.
+
+            const result = await analyzeJsTsCode(code, relativePath);
+
+            if (result.hasError) {
+                const details = getAuditDetails('RR-SEC-002', result.type || 'Error', result.error || 'Unknown Issue'); // Use SEC-002 for JS? Or reuse.
+                findings.push({
+                    file: relativePath,
+                    line: result.line || 0,
+                    type: result.type || 'Error',
+                    ...details
+                });
+
+                if (result.type === 'SecurityRisk') criticalCount++;
+            }
+        } catch (e) {
+            console.error(`Error analyzing ${f}:`, e);
+        }
+    }
+
     if (!hasLogging && files.filter(f => f.endsWith('.py')).length > 0) {
         const details = getAuditDetails('RR-LOG-001', 'ProductionRisk', '');
         findings.push({ file: 'Repository Root', line: 0, type: 'ProductionRisk', ...details });