argusqa-os 9.5.9 → 9.6.1

package/src/utils/codebase-analyzer.js

@@ -40,9 +40,9 @@ function collectSourceFiles(sourceDir) {
       if (e.isDirectory()) { walk(full); }
       else if (SOURCE_EXTENSIONS.has(path.extname(e.name))) {
         try {
-          const stat = fs.statSync(full);
-          if (stat.size > 1_000_000) continue; // skip files > 1MB (minified bundles, etc.)
-          files.push({ filePath: full, content: fs.readFileSync(full, 'utf8') });
+          const content = fs.readFileSync(full, 'utf8');
+          if (Buffer.byteLength(content, 'utf8') > 1_000_000) continue; // skip files > 1MB
+          files.push({ filePath: full, content });
         } catch {}
       }
     }

package/src/utils/content-analyzer.js

@@ -97,7 +97,7 @@ export function parseContentAnalysisResult(rawResult, url) {
     // all field lookups (nullMatches, brokenImages, etc.) return undefined — zero findings.
     // JSON.stringify on a circular object throws; catch logs and returns [].
     let raw = rawResult;
-    if (typeof raw === 'object' && !Array.isArray(raw) && raw !== null && raw.result !== undefined) {
+    if (typeof raw === 'object' && !Array.isArray(raw) && raw !== null && raw.result !== undefined) { // lgtm[js/comparison-of-unconvertible-types] — typeof null === 'object', so raw !== null is required after the typeof check
       raw = raw.result;
     }
     const str = typeof raw === 'string' ? raw : JSON.stringify(raw);

package/src/utils/flow-runner.js

@@ -223,7 +223,7 @@ async function runAssert(step, browser, flowName, baseUrl, baselines) {
       const start = Date.now();
       let present = false;
       do {
-        const raw = await browser.evaluate(`() => !!document.querySelector(${JSON.stringify(step.selector)})`);
+        const raw = await browser.evaluate(`() => !!document.querySelector(${JSON.stringify(step.selector)})`); // lgtm[js/code-injection] — selector is JSON.stringify-escaped; derived from developer-configured flow steps, not HTTP input
         present = !!unwrapEval(raw);
         if (present) break;
         await new Promise(r => setTimeout(r, 200));
@@ -244,7 +244,7 @@ async function runAssert(step, browser, flowName, baseUrl, baselines) {
     }
 
     case 'element_not_visible': {
-      const raw = await browser.evaluate(`() => !document.querySelector(${JSON.stringify(step.selector)})`);
+      const raw = await browser.evaluate(`() => !document.querySelector(${JSON.stringify(step.selector)})`); // lgtm[js/code-injection] — selector is JSON.stringify-escaped; derived from developer-configured flow steps, not HTTP input
       const absent = unwrapEval(raw);
       if (!absent) {
         findings.push({
@@ -261,7 +261,7 @@ async function runAssert(step, browser, flowName, baseUrl, baselines) {
     }
 
     case 'url_contains': {
-      const raw = await browser.evaluate(`() => window.location.href.includes(${JSON.stringify(step.value)})`);
+      const raw = await browser.evaluate(`() => window.location.href.includes(${JSON.stringify(step.value)})`); // lgtm[js/code-injection] — value is JSON.stringify-escaped; derived from developer-configured flow steps, not HTTP input
       const matches = unwrapEval(raw);
       if (!matches) {
         findings.push({
@@ -545,7 +545,7 @@ export async function runFlow(flow, baseUrl, browser) {
 export async function waitForSelector(browser, selector, timeoutMs = 10_000) {
   const end = Date.now() + timeoutMs;
   while (Date.now() < end) {
-    const raw = await browser.evaluate(`() => !!document.querySelector(${JSON.stringify(selector)})`).catch(() => null);
+    const raw = await browser.evaluate(`() => !!document.querySelector(${JSON.stringify(selector)})`).catch(() => null); // lgtm[js/code-injection] — selector is JSON.stringify-escaped; derived from developer-configured flow steps, not HTTP input
     const found = unwrapEval(raw);
     if (found === true || String(found) === 'true') return true;
     if (Date.now() < end) await new Promise(r => setTimeout(r, 300));

package/src/utils/github-reporter.js

@@ -41,7 +41,7 @@ function sevIcon(sev) { return SEV_ICON[sev] ?? '⚪'; }
 
 /** Escape pipe characters so they don't break Markdown tables. */
 function mdCell(text, maxLen = 100) {
-  return String(text ?? '').slice(0, maxLen).replace(/\|/g, '\\|').replace(/\n/g, ' ');
+  return String(text ?? '').slice(0, maxLen).replace(/\|/g, '\\|').replace(/\n/g, ' '); // lgtm[js/incomplete-string-escaping] — escaping pipe and newline is correct and sufficient for GitHub Markdown table cells
 }
 
 // ── C2.1: PR comment formatter (pure — no I/O) ───────────────────────────────
@@ -429,7 +429,6 @@ export function generateReleaseNotes(currentReport, prevReport, opts = {}) {
 
     if (newOnes.length > 0) {
       const crits = newOnes.filter(f => f.severity === 'critical').length;
-      const warns = newOnes.filter(f => f.severity === 'warning').length;
       lines.push(`### 🆕 New Issues (${newOnes.length})`);
       if (crits > 0) lines.push(`> ⚠️ ${crits} new critical issue(s) require attention`);
       lines.push('');

package/src/utils/har-recorder.js

@@ -79,20 +79,25 @@ export async function analyzeHar(browser, url, opts = {}) {
   const harFile = path.join(harDir, `${slug}.json`);
 
   // ── First run: save baseline ──────────────────────────────────────────────
-  if (!fs.existsSync(harFile)) {
-    try {
-      fs.mkdirSync(harDir, { recursive: true });
-      const baseline = {
-        version: '1.2',
-        createdAt: new Date().toISOString(),
-        url,
-        entries: requests.map(toBaselineEntry),
-      };
-      fs.writeFileSync(harFile, JSON.stringify(baseline, null, 2));
-    } catch (err) {
+  // Use flag:'wx' for atomic create — throws EEXIST if baseline already exists (TOCTOU-safe).
+  fs.mkdirSync(harDir, { recursive: true });
+  const baseline = {
+    version: '1.2',
+    createdAt: new Date().toISOString(),
+    url,
+    entries: requests.map(toBaselineEntry),
+  };
+  let harIsNew = false;
+  try {
+    fs.writeFileSync(harFile, JSON.stringify(baseline, null, 2), { flag: 'wx' });
+    harIsNew = true;
+  } catch (err) {
+    if (err.code !== 'EEXIST') {
       logger.warn(`[ARGUS] har-recorder: failed to write baseline: ${err.message}`);
       return findings;
     }
+  }
+  if (harIsNew) {
 
     findings.push({
       type:         'har_baseline_created',
@@ -106,15 +111,15 @@ export async function analyzeHar(browser, url, opts = {}) {
   }
 
   // ── Subsequent runs: compare against baseline ─────────────────────────────
-  let baseline;
+  let existingBaseline;
   try {
-    baseline = JSON.parse(fs.readFileSync(harFile, 'utf8'));
+    existingBaseline = JSON.parse(fs.readFileSync(harFile, 'utf8'));
   } catch (err) {
     logger.warn(`[ARGUS] har-recorder: failed to read baseline: ${err.message}`);
     return findings;
   }
 
-  const baselineEntries = baseline.entries ?? [];
+  const baselineEntries = existingBaseline.entries ?? [];
   const baselineMap     = new Map(baselineEntries.map(e => [normaliseUrl(e.request.url), e]));
   const currentMap      = new Map(requests.map(r => [normaliseUrl(r.url), r]));
 

package/src/utils/pr-diff-analyzer.js

@@ -0,0 +1,121 @@
+/**
+ * PR Diff Analyzer — maps GitHub PR changed files to affected Argus routes.
+ *
+ * parsePrUrl(prUrl)               → { owner, repo, prNumber }
+ * fetchPrFiles(prUrl, token)      → string[] of changed file paths
+ * mapFilesToRoutes(files, routes) → Route[] subset likely affected by the diff
+ *
+ * Pure functions + one async fetch — no Chrome, no MCP, no AI verdict.
+ * AI verdict logic ships separately in the private argus-pro repo.
+ */
+
+/**
+ * Parse a GitHub PR URL into its owner/repo/prNumber components.
+ *
+ * Accepted formats:
+ *   https://github.com/owner/repo/pull/123
+ *   https://github.com/owner/repo/pull/123/files
+ *
+ * @param {string} prUrl
+ * @returns {{ owner: string, repo: string, prNumber: number }}
+ */
+export function parsePrUrl(prUrl) {
+  const match = String(prUrl).match(
+    /^https?:\/\/github\.com\/([^/]+)\/([^/]+)\/pull\/(\d+)/,
+  );
+  if (!match) throw new Error(`Invalid GitHub PR URL: ${prUrl}`);
+  return { owner: match[1], repo: match[2], prNumber: parseInt(match[3], 10) };
+}
+
+/**
+ * Fetch the list of file paths changed by a GitHub pull request (up to 100 files).
+ *
+ * @param {string} prUrl        - GitHub PR URL (any format accepted by parsePrUrl)
+ * @param {string} [githubToken] - GitHub token; omit for public repos
+ * @returns {Promise<string[]>}  - Changed file paths relative to the repo root
+ */
+export async function fetchPrFiles(prUrl, githubToken) {
+  const { owner, repo, prNumber } = parsePrUrl(prUrl);
+  const apiUrl =
+    `https://api.github.com/repos/${owner}/${repo}/pulls/${prNumber}/files?per_page=100`;
+  const headers = {
+    Accept: 'application/vnd.github+json',
+    'X-GitHub-Api-Version': '2022-11-28',
+    'User-Agent': 'argusqa-os',
+    ...(githubToken ? { Authorization: `Bearer ${githubToken}` } : {}),
+  };
+
+  const res = await fetch(apiUrl, { headers });
+  if (!res.ok) {
+    const body = await res.text().catch(() => '');
+    throw new Error(`GitHub API ${res.status}: ${body || res.statusText}`);
+  }
+  const files = await res.json();
+  return files.map(f => f.filename);
+}
+
+/**
+ * Patterns that indicate an infrastructure-level file whose change can affect
+ * every route — framework configs, root layouts, global stylesheets, package.json.
+ */
+const INFRA_PATTERNS = [
+  /next\.config\./i,
+  /vite\.config\./i,
+  /tailwind\.config\./i,
+  /postcss\.config\./i,
+  /webpack\.config\./i,
+  /global(s)?\.(css|scss|less)$/i,
+  /(^|[/\\])(layout|_app|_document|root)\.(tsx?|jsx?)$/i,
+  /(^|[/\\])app\.(tsx?|jsx?)$/i,
+  /(^|[/\\])main\.(tsx?|jsx?)$/i,
+  /package\.json$/i,
+];
+
+/**
+ * Map a list of changed file paths to the subset of Argus route configs that
+ * are likely affected, using heuristic slug matching.
+ *
+ * Heuristic rules (applied in order):
+ *   1. Any infrastructure file → return ALL routes (full audit)
+ *   2. File path contains a slug that matches a route path segment → include that route
+ *   3. No matches → return ALL routes (conservative fallback — never miss a regression)
+ *
+ * @param {string[]} changedFiles - Relative file paths from fetchPrFiles
+ * @param {Array<{ path: string, name: string }>} routes - Route configs from targets.js
+ * @returns {Array<{ path: string, name: string }>}
+ */
+export function mapFilesToRoutes(changedFiles, routes) {
+  if (!routes || routes.length === 0) return [];
+  if (!changedFiles || changedFiles.length === 0) return routes;
+
+  // Infrastructure change → full audit
+  if (changedFiles.some(f => INFRA_PATTERNS.some(re => re.test(f)))) {
+    return routes;
+  }
+
+  // Build a flat set of lowercase slugs from every changed file path
+  const fileSlugs = new Set(
+    changedFiles.flatMap(f =>
+      // Strip extension, split on separators, keep non-trivial tokens
+      f.toLowerCase()
+        .replace(/\.[^./\\]+$/, '')
+        .split(/[/\\._-]+/)
+        .filter(s => s.length > 1),
+    ),
+  );
+
+  // Extract meaningful segments from a route path (e.g. "/checkout/review" → ["checkout","review"])
+  const routeSegments = (route) =>
+    route.path
+      .toLowerCase()
+      .split('/')
+      .map(s => s.replace(/[^a-z0-9]/g, ''))
+      .filter(s => s.length > 1);
+
+  const matched = routes.filter(route =>
+    routeSegments(route).some(seg => fileSlugs.has(seg)),
+  );
+
+  // Conservative fallback: if nothing matched, audit everything
+  return matched.length > 0 ? matched : routes;
+}

package/src/utils/route-discoverer.js

@@ -74,7 +74,7 @@ export async function discoverFromSitemap(baseUrl) {
   const origin = new URL(baseUrl).origin;
   const sitemapUrl = `${baseUrl.replace(/\/$/, '')}/sitemap.xml`;
   try {
-    const res = await fetch(sitemapUrl, { signal: AbortSignal.timeout(10000) });
+    const res = await fetch(sitemapUrl, { signal: AbortSignal.timeout(10000) }); // lgtm[js/ssrf] — sitemapUrl is derived from developer-configured baseUrl in targets.js, not from HTTP request input
     if (!res.ok) return [];
 
     const buf = await res.arrayBuffer();

package/src/utils/security-analyzer.js

@@ -132,7 +132,7 @@ export function parseSecurityAnalysisResult(rawResult, url) {
     // all field lookups (storageTokenKeys, evalUsage, etc.) return undefined — zero findings.
     // JSON.stringify on a circular object throws; catch logs and returns [].
     let raw = rawResult;
-    if (typeof raw === 'object' && !Array.isArray(raw) && raw !== null && raw.result !== undefined) {
+    if (typeof raw === 'object' && !Array.isArray(raw) && raw !== null && raw.result !== undefined) { // lgtm[js/comparison-of-unconvertible-types] — typeof null === 'object', so raw !== null is required after the typeof check
       raw = raw.result;
     }
     const str = typeof raw === 'string' ? raw : JSON.stringify(raw);

package/src/utils/seo-analyzer.js

@@ -48,7 +48,7 @@ export function parseSeoAnalysisResult(rawResult, url) {
   // client returns an object wrapper, JSON.stringify(rawResult) serialises the envelope
   // instead of the inner payload and all SEO fields are undefined → false positives.
   let inner = rawResult;
-  if (typeof rawResult === 'object' && rawResult !== null && !Array.isArray(rawResult)) {
+  if (typeof rawResult === 'object' && rawResult !== null && !Array.isArray(rawResult)) { // lgtm[js/comparison-of-unconvertible-types] — typeof null === 'object', so rawResult !== null is required after the typeof check
     inner = rawResult.result !== undefined ? rawResult.result : rawResult;
   }
 

package/src/utils/session-persistence.js

@@ -65,7 +65,7 @@ function buildRestoreScript(state) {
     lines.push(`sessionStorage.setItem(${JSON.stringify(k)},${JSON.stringify(String(v ?? ''))});`);
   }
 
-  return `() => { ${lines.join(' ')} return true; }`;
+  return `() => { ${lines.join(' ')} return true; }`; // lgtm[js/code-injection] — all k/v values are JSON.stringify-escaped before insertion; derived from browser session storage, not HTTP request input
 }
 
 // ── Session Save ────────────────────────────────────────────────────────────────

package/src/utils/visual-diff-analyzer.js

@@ -141,13 +141,18 @@ export async function analyzeVisualRegression(browser, url, opts = {}) {
   const baselinePath = path.join(baselineDir, `${slug}.png`);
 
   // ── 3. First run: save baseline ─────────────────────────────────────────────
-  if (!fs.existsSync(baselinePath)) {
-    try {
-      fs.writeFileSync(baselinePath, currentBuf);
-    } catch (err) {
+  // Use flag:'wx' for atomic create — throws EEXIST if baseline was written concurrently (TOCTOU-safe).
+  let baselineIsNew = false;
+  try {
+    fs.writeFileSync(baselinePath, currentBuf, { flag: 'wx' });
+    baselineIsNew = true;
+  } catch (err) {
+    if (err.code !== 'EEXIST') {
       logger.warn(`[ARGUS] visual-diff: could not write baseline ${baselinePath}: ${err.message}`);
       return findings;
     }
+  }
+  if (baselineIsNew) {
 
     findings.push({
       type:     'visual_baseline_created',