argusqa-os 9.6.6 → 9.7.3

package/src/utils/root-cause-linker.js

@@ -0,0 +1,169 @@
+/**
+ * Root Cause Linking — recent git changes → suspect files per finding.
+ *
+ * Pure git-diff heuristic: no external API, no AI call. Reads the last N
+ * commits from the local repo (`git log --name-only`), maps changed files to
+ * route paths with the same slug heuristic as pr-diff-analyzer, and annotates
+ * each NEW finding (isNew: true) with the files/commits most likely to have
+ * caused it:
+ *
+ *   finding.rootCause = {
+ *     files:   ['src/pages/checkout/Form.jsx', ...],   // ≤ MAX_FILES
+ *     commits: [{ hash: 'abc1234', subject: '...' }],  // ≤ MAX_COMMITS
+ *     global:  false,  // true when only infra-level files matched
+ *   }
+ *
+ * Only new findings are annotated — a finding that predates the recent commits
+ * cannot have been caused by them. Source repo defaults to ARGUS_SOURCE_DIR or
+ * the current working directory. Disable with ARGUS_ROOT_CAUSE=0.
+ */
+
+import { execSync } from 'child_process';
+import { INFRA_PATTERNS } from './pr-diff-analyzer.js';
+import { childLogger }    from './logger.js';
+
+const logger = childLogger('root-cause-linker');
+
+/** Commits inspected by default. */
+export const DEFAULT_COMMITS = 10;
+/** Max suspect files attached to one finding. */
+const MAX_FILES = 5;
+/** Max commits attached to one finding. */
+const MAX_COMMITS = 3;
+
+/**
+ * Read the last N commits with their changed files from a local git repo.
+ * Returns [] when the directory is not a repo, git is unavailable, or the
+ * command fails — root cause linking is always best-effort.
+ *
+ * @param {string} [repoDir]  - Defaults to ARGUS_SOURCE_DIR, then cwd
+ * @param {object} [opts]
+ * @param {number} [opts.commits]
+ * @returns {Array<{ hash: string, subject: string, files: string[] }>}
+ */
+export function getRecentChanges(repoDir = process.env.ARGUS_SOURCE_DIR || process.cwd(), { commits = DEFAULT_COMMITS } = {}) {
+  let out;
+  try {
+    out = execSync(`git log --name-only --pretty=format:%h%x09%s -n ${Math.max(1, commits | 0)}`, {
+      cwd: repoDir,
+      stdio: ['pipe', 'pipe', 'pipe'],
+      timeout: 5000,
+    }).toString();
+  } catch {
+    return [];
+  }
+
+  const changes = [];
+  let current = null;
+  for (const line of out.split('\n')) {
+    const trimmed = line.trimEnd();
+    if (!trimmed) continue;
+    if (trimmed.includes('\t')) {
+      const [hash, ...subjectParts] = trimmed.split('\t');
+      current = { hash, subject: subjectParts.join('\t'), files: [] };
+      changes.push(current);
+    } else if (current) {
+      // Git emits paths with forward slashes on every platform
+      current.files.push(trimmed);
+    }
+  }
+  return changes;
+}
+
+/**
+ * Match changed file paths against one route path using the slug heuristic
+ * from pr-diff-analyzer: a file matches when any of its path/name slugs equals
+ * a route path segment. Infra-level files (configs, root layouts, global CSS)
+ * match every route and are reported via `global`.
+ *
+ * @param {string[]} files
+ * @param {string}   routePath  - e.g. "/checkout/review"
+ * @returns {{ files: string[], global: boolean }}
+ */
+export function matchFilesToRoutePath(files, routePath) {
+  const segments = String(routePath ?? '')
+    .toLowerCase()
+    .split('/')
+    .map(s => s.replace(/[^a-z0-9]/g, ''))
+    .filter(s => s.length > 1);
+
+  const matched = [];
+  let global = false;
+
+  for (const file of (files ?? [])) {
+    if (INFRA_PATTERNS.some(re => re.test(file))) {
+      global = true;
+      continue;
+    }
+    if (segments.length === 0) continue; // home route "/" — only infra files apply
+    const slugs = file
+      .toLowerCase()
+      .replace(/\.[^./\\]+$/, '')
+      .split(/[/\\._-]+/)
+      .filter(s => s.length > 1);
+    if (segments.some(seg => slugs.includes(seg))) matched.push(file);
+  }
+
+  return { files: matched, global };
+}
+
+/**
+ * Annotate NEW findings in the report with `rootCause` (mutates in place).
+ *
+ * For each route, slug-matches every recent commit's files against the route's
+ * URL pathname. Direct file matches win; when only infra-level files changed,
+ * the annotation carries `global: true` with those files as suspects.
+ *
+ * @param {object} report   - { routes: [{ url, errors }] }; findings need isNew
+ * @param {Array}  changes  - From getRecentChanges()
+ * @returns {{ linkedCount: number }}
+ */
+export function linkRootCauses(report, changes) {
+  let linkedCount = 0;
+  if (!Array.isArray(changes) || changes.length === 0) return { linkedCount };
+
+  for (const routeResult of (report.routes ?? [])) {
+    let routePath;
+    try {
+      routePath = new URL(routeResult.url).pathname;
+    } catch {
+      continue;
+    }
+
+    // Collect suspect files + commits for this route across the recent commits
+    const directFiles = [];
+    const infraFiles  = [];
+    const directCommits = [];
+    const infraCommits  = [];
+    for (const commit of changes) {
+      const { files, global } = matchFilesToRoutePath(commit.files, routePath);
+      if (files.length > 0) {
+        directFiles.push(...files);
+        directCommits.push({ hash: commit.hash, subject: commit.subject });
+      } else if (global) {
+        infraFiles.push(...commit.files.filter(f => INFRA_PATTERNS.some(re => re.test(f))));
+        infraCommits.push({ hash: commit.hash, subject: commit.subject });
+      }
+    }
+
+    const useDirect = directFiles.length > 0;
+    const suspectFiles   = [...new Set(useDirect ? directFiles : infraFiles)].slice(0, MAX_FILES);
+    const suspectCommits = (useDirect ? directCommits : infraCommits).slice(0, MAX_COMMITS);
+    if (suspectFiles.length === 0) continue;
+
+    for (const finding of (routeResult.errors ?? [])) {
+      if (!finding.isNew) continue; // pre-existing findings predate these commits
+      finding.rootCause = {
+        files:   suspectFiles,
+        commits: suspectCommits,
+        global:  !useDirect,
+      };
+      linkedCount++;
+    }
+  }
+
+  if (linkedCount > 0) {
+    logger.info(`[ARGUS] Root cause linking: ${linkedCount} new finding(s) linked to recent commits`);
+  }
+  return { linkedCount };
+}

package/src/utils/screen-recorder.js

@@ -0,0 +1,250 @@
+/**
+ * Argus Screen Recorder
+ *
+ * Records an audit session as a series of JPEG frames by periodically
+ * calling browser.screenshot(). Frames are saved to reports/recordings/<id>/.
+ *
+ * For genuine CDP screencast (Page.startScreencast) instead of polling,
+ * install the optional `ws` package:
+ *   npm install ws
+ * then use CdpScreenRecorder (exported below) which connects directly to
+ * Chrome's WebSocket debugger URL.
+ *
+ * Usage (polling recorder — no extra deps):
+ *   import { PollingRecorder } from './screen-recorder.js';
+ *   const rec = new PollingRecorder(browser, { intervalMs: 500 });
+ *   rec.start();
+ *   // ... run audit ...
+ *   const outputDir = await rec.stop('./reports/recordings/my-run');
+ *
+ * Usage (CDP screencast — requires ws):
+ *   import { CdpScreenRecorder } from './screen-recorder.js';
+ *   const rec = await CdpScreenRecorder.create(9222);
+ *   await rec.start();
+ *   // ...
+ *   const outputDir = await rec.stop('./reports/recordings/my-run');
+ */
+
+import { spawn } from 'child_process';
+import fs   from 'fs';
+import path from 'path';
+import http from 'http';
+
+// ── Polling Recorder (no extra dependencies) ──────────────────────────────────
+
+export class PollingRecorder {
+  /**
+   * @param {import('../adapters/browser.js').CdpBrowserAdapter} browser
+   * @param {{ intervalMs?: number, quality?: number }} [options]
+   */
+  constructor(browser, options = {}) {
+    this._browser   = browser;
+    this._intervalMs = options.intervalMs ?? 500;
+    this._quality    = options.quality    ?? 70;
+    this._frames     = [];
+    this._timer      = null;
+    this._startedAt  = null;
+  }
+
+  /** Begin periodic screenshot capture. */
+  start() {
+    if (this._timer) return;
+    this._startedAt = Date.now();
+    this._frames    = [];
+    this._timer     = setInterval(async () => {
+      try {
+        const raw = await this._browser.screenshot({ quality: this._quality });
+        // screenshot() returns an MCP result — extract base64 data if wrapped
+        const b64 = typeof raw === 'object' ? (raw.result ?? raw.data ?? raw) : raw;
+        if (b64) this._frames.push({ ts: Date.now(), data: b64 });
+      } catch { /* ignore individual capture errors */ }
+    }, this._intervalMs);
+  }
+
+  /**
+   * Stop recording and save frames to outputDir.
+   *
+   * @param {string} outputDir - Directory to write frame-NNN.jpg files into
+   * @returns {Promise<{ outputDir: string, frameCount: number, durationMs: number }>}
+   */
+  async stop(outputDir) {
+    if (this._timer) {
+      clearInterval(this._timer);
+      this._timer = null;
+    }
+
+    const durationMs = Date.now() - (this._startedAt ?? Date.now());
+    const frames     = this._frames.slice();
+    this._frames     = [];
+
+    const resolved = path.resolve(outputDir);
+    fs.mkdirSync(resolved, { recursive: true });
+
+    for (let i = 0; i < frames.length; i++) {
+      const name     = `frame-${String(i).padStart(4, '0')}.jpg`;
+      const filePath = path.join(resolved, name);
+      const b64      = frames[i].data;
+      // b64 may be a data URL prefix — strip it
+      const raw = typeof b64 === 'string'
+        ? b64.replace(/^data:image\/\w+;base64,/, '')
+        : b64;
+      try {
+        fs.writeFileSync(filePath, Buffer.from(raw, 'base64'));
+      } catch { /* skip unwritable frames */ }
+    }
+
+    // Write metadata + ffmpeg hint
+    const meta = {
+      frameCount:  frames.length,
+      durationMs,
+      intervalMs:  this._intervalMs,
+      capturedAt:  new Date(this._startedAt).toISOString(),
+      ffmpegHint:  `ffmpeg -framerate ${Math.round(1000 / this._intervalMs)} -i frame-%04d.jpg -c:v libx264 -pix_fmt yuv420p recording.mp4`,
+    };
+    fs.writeFileSync(path.join(resolved, 'meta.json'), JSON.stringify(meta, null, 2));
+
+    // Run ffmpeg automatically if available
+    await _tryFfmpeg(resolved, meta.intervalMs).catch(() => {});
+
+    return { outputDir: resolved, frameCount: frames.length, durationMs };
+  }
+}
+
+// ── CDP Screencast Recorder (requires ws package) ─────────────────────────────
+
+export class CdpScreenRecorder {
+  constructor(ws, sessionId) {
+    this._ws        = ws;
+    this._sessionId = sessionId;
+    this._frames    = [];
+    this._startedAt = null;
+    this._msgId     = 1;
+  }
+
+  /**
+   * Create a CdpScreenRecorder connected to the first Chrome tab.
+   * Requires the `ws` package: npm install ws
+   *
+   * @param {number} [port=9222]
+   * @returns {Promise<CdpScreenRecorder>}
+   */
+  static async create(port = 9222) {
+    let WebSocket;
+    try {
+      WebSocket = (await import('ws')).default;
+    } catch {
+      throw new Error(
+        'CDP screencast requires the ws package:\n' +
+        '  npm install ws\n' +
+        'Or use PollingRecorder instead (no extra deps).'
+      );
+    }
+
+    const debuggerUrl = await _fetchDebuggerUrl(port);
+    const ws = new WebSocket(debuggerUrl);
+
+    await new Promise((resolve, reject) => {
+      ws.once('open', resolve);
+      ws.once('error', reject);
+    });
+
+    const rec = new CdpScreenRecorder(ws, null);
+    ws.on('message', data => {
+      try {
+        const msg = JSON.parse(data.toString());
+        if (msg.method === 'Page.screencastFrame') {
+          rec._frames.push({ ts: Date.now(), data: msg.params.data });
+          // Acknowledge the frame to keep Chrome sending
+          rec._send('Page.screencastFrameAck', { sessionId: msg.params.metadata.sessionId });
+        }
+      } catch { /* ignore parse errors */ }
+    });
+
+    return rec;
+  }
+
+  _send(method, params = {}) {
+    this._ws.send(JSON.stringify({ id: this._msgId++, method, params }));
+  }
+
+  /** Start CDP screencast. */
+  async start() {
+    this._startedAt = Date.now();
+    this._frames    = [];
+    this._send('Page.startScreencast', {
+      format:        'jpeg',
+      quality:       70,
+      maxWidth:      1280,
+      maxHeight:     900,
+      everyNthFrame: 1,
+    });
+  }
+
+  /**
+   * Stop screencast and save frames to outputDir.
+   *
+   * @param {string} outputDir
+   * @returns {Promise<{ outputDir: string, frameCount: number, durationMs: number }>}
+   */
+  async stop(outputDir) {
+    this._send('Page.stopScreencast');
+    await new Promise(r => setTimeout(r, 200)); // drain any buffered frames
+    this._ws.close();
+
+    const durationMs = Date.now() - (this._startedAt ?? Date.now());
+    const frames     = this._frames.slice();
+    const resolved   = path.resolve(outputDir);
+
+    fs.mkdirSync(resolved, { recursive: true });
+
+    for (let i = 0; i < frames.length; i++) {
+      const name = `frame-${String(i).padStart(4, '0')}.jpg`;
+      fs.writeFileSync(path.join(resolved, name), Buffer.from(frames[i].data, 'base64'));
+    }
+
+    const meta = {
+      frameCount: frames.length,
+      durationMs,
+      capturedAt: new Date(this._startedAt).toISOString(),
+      ffmpegHint: `ffmpeg -framerate 2 -i frame-%04d.jpg -c:v libx264 -pix_fmt yuv420p recording.mp4`,
+    };
+    fs.writeFileSync(path.join(resolved, 'meta.json'), JSON.stringify(meta, null, 2));
+
+    await _tryFfmpeg(resolved, 500).catch(() => {});
+
+    return { outputDir: resolved, frameCount: frames.length, durationMs };
+  }
+}
+
+// ── Helpers ───────────────────────────────────────────────────────────────────
+
+function _fetchDebuggerUrl(port) {
+  return new Promise((resolve, reject) => {
+    http.get(`http://localhost:${port}/json/list`, res => {
+      let body = '';
+      res.on('data', d => { body += d; });
+      res.on('end', () => {
+        try {
+          const pages = JSON.parse(body);
+          const target = pages.find(p => p.type === 'page') ?? pages[0];
+          if (!target?.webSocketDebuggerUrl) reject(new Error('No debuggable Chrome page found'));
+          else resolve(target.webSocketDebuggerUrl);
+        } catch (e) { reject(e); }
+      });
+    }).on('error', reject);
+  });
+}
+
+function _tryFfmpeg(outputDir, intervalMs) {
+  return new Promise((resolve, reject) => {
+    const fps  = Math.max(1, Math.round(1000 / intervalMs));
+    const proc = spawn('ffmpeg', [
+      '-y', '-framerate', String(fps),
+      '-i', 'frame-%04d.jpg',
+      '-c:v', 'libx264', '-pix_fmt', 'yuv420p',
+      'recording.mp4',
+    ], { cwd: outputDir, stdio: 'ignore' });
+    proc.on('close', code => (code === 0 ? resolve() : reject(new Error(`ffmpeg exited ${code}`))));
+    proc.on('error', reject);
+  });
+}

package/src/utils/security-analyzer.js

@@ -18,6 +18,7 @@
  *      • HTTP resource on HTTPS page (D6.9) — skips loopback; only fires on real HTTPS origins
  */
 
+import { execFile }    from 'child_process';
 import { thresholds }  from '../config/targets.js';
 import { childLogger } from './logger.js';
 
@@ -111,7 +112,27 @@ export const SECURITY_ANALYSIS_SCRIPT = `async () => {
     }
   } catch (e) {}
 
-  return JSON.stringify({ storageTokenKeys: storageTokenKeys, evalUsage: evalUsage, jsCookies: jsCookies, hasCSP: hasCSP, hasXFrame: hasXFrame, unsandboxedIframes: unsandboxedIframes, unsafeBlankLinks: unsafeBlankLinks });
+  // 7. SRI check — external scripts and stylesheets without integrity attribute
+  var sriViolations = [];
+  try {
+    var pageOrigin = location.origin;
+    var extScripts = Array.prototype.slice.call(document.querySelectorAll('script[src]:not([integrity])'));
+    for (var sri_i = 0; sri_i < extScripts.length && sri_i < 20; sri_i++) {
+      var scriptSrc = extScripts[sri_i].src || '';
+      if (scriptSrc && !scriptSrc.startsWith(pageOrigin) && !scriptSrc.startsWith('/') && !scriptSrc.startsWith('blob:') && !scriptSrc.startsWith('data:')) {
+        sriViolations.push({ tag: 'script', src: scriptSrc.slice(0, 200) });
+      }
+    }
+    var extLinks = Array.prototype.slice.call(document.querySelectorAll('link[rel="stylesheet"][href]:not([integrity])'));
+    for (var sri_j = 0; sri_j < extLinks.length && sri_j < 20; sri_j++) {
+      var linkHref = extLinks[sri_j].href || '';
+      if (linkHref && !linkHref.startsWith(pageOrigin) && !linkHref.startsWith('/') && !linkHref.startsWith('blob:') && !linkHref.startsWith('data:')) {
+        sriViolations.push({ tag: 'link', src: linkHref.slice(0, 200) });
+      }
+    }
+  } catch (e) {}
+
+  return JSON.stringify({ storageTokenKeys: storageTokenKeys, evalUsage: evalUsage, jsCookies: jsCookies, hasCSP: hasCSP, hasXFrame: hasXFrame, unsandboxedIframes: unsandboxedIframes, unsafeBlankLinks: unsafeBlankLinks, sriViolations: sriViolations });
 }`;
 
 /**
@@ -219,6 +240,20 @@ export function parseSecurityAnalysisResult(rawResult, url) {
     });
   }
 
+  // SRI violations — external scripts/stylesheets without integrity attribute
+  if (Array.isArray(data.sriViolations) && data.sriViolations.length > 0) {
+    for (const v of data.sriViolations) {
+      bugs.push({
+        type:    'security_missing_sri',
+        tag:     v.tag,
+        src:     v.src,
+        message: `External <${v.tag}> without integrity attribute: "${String(v.src).slice(0, 200)}" — add integrity="sha384-..." to prevent supply-chain attacks`,
+        severity: 'warning',
+        url,
+      });
+    }
+  }
+
   return bugs;
 }
 
@@ -300,3 +335,99 @@ export function analyzeSecurityNetwork(networkReqs, url) {
   }
   return bugs;
 }
+
+/**
+ * Detect source map files being served in production.
+ * Source maps expose original unminified source code to anyone with DevTools open.
+ *
+ * @param {object[]} networkReqs - Network request entries ({ url })
+ * @param {string}   url - Page URL for context
+ * @returns {object[]}
+ */
+export function checkSourceMapExposure(networkReqs, url) {
+  const bugs = [];
+  for (const req of (Array.isArray(networkReqs) ? networkReqs : [])) {
+    const reqUrl = req.url ?? req.requestUrl ?? '';
+    if (!reqUrl) continue;
+    if (/\.(js|css)\.map(\?|$)/i.test(reqUrl) || /\/[^/]+\.map(\?|$)/.test(reqUrl)) {
+      bugs.push({
+        type:       'security_sourcemap_exposed',
+        requestUrl: reqUrl,
+        message:    `Source map publicly accessible: "${reqUrl.slice(0, 200)}" — remove or restrict .map files in production to protect original source code`,
+        severity:   'warning',
+        url,
+      });
+    }
+  }
+  return bugs;
+}
+
+/**
+ * Detect open redirect parameters in network request URLs.
+ * Open redirects allow attackers to craft phishing URLs that appear to come from
+ * the legitimate domain.
+ *
+ * @param {object[]} networkReqs - Network request entries ({ url })
+ * @param {string}   url - Page URL for context
+ * @returns {object[]}
+ */
+export function checkOpenRedirects(networkReqs, url) {
+  // 'to', 'target', 'url' excluded — too common in non-redirect contexts (CDN proxies, nav params).
+  const redirectParams = /[?&](redirect|return|next|dest|destination|goto|redir|forward)=/i;
+  const bugs = [];
+  for (const req of (Array.isArray(networkReqs) ? networkReqs : [])) {
+    const reqUrl = req.url ?? req.requestUrl ?? '';
+    if (!reqUrl || !redirectParams.test(reqUrl)) continue;
+    bugs.push({
+      type:       'security_open_redirect',
+      requestUrl: reqUrl,
+      message:    `Potential open redirect parameter in URL: "${reqUrl.slice(0, 200)}" — validate redirect targets server-side against an allowlist`,
+      severity:   'warning',
+      url,
+    });
+  }
+  return bugs;
+}
+
+/**
+ * Run `npm audit --json` in the given project directory and convert CVEs to findings.
+ * Skips silently if projectDir is falsy, npm is not available, or the project has
+ * no package.json (not a Node project).
+ *
+ * @param {string|null} projectDir - Absolute path to the project root
+ * @returns {Promise<object[]>}
+ */
+export async function auditNpmDependencies(projectDir) {
+  if (!projectDir) return [];
+
+  return new Promise(resolve => {
+    // shell: true resolves npm.cmd on Windows; harmless on macOS/Linux.
+    execFile('npm', ['audit', '--json'], { cwd: projectDir, maxBuffer: 4 * 1024 * 1024, shell: true }, (err, stdout) => {
+      // npm audit exits non-zero when vulnerabilities exist — we still want stdout.
+      if (!stdout) return resolve([]);
+      let report;
+      try { report = JSON.parse(stdout); } catch { return resolve([]); }
+
+      const bugs = [];
+      const vulns = report?.vulnerabilities ?? report?.advisories ?? {};
+
+      for (const [name, info] of Object.entries(vulns)) {
+        const sev = String(info.severity ?? 'moderate').toLowerCase();
+        const via = Array.isArray(info.via)
+          ? info.via.filter(v => typeof v === 'string').join(', ')
+          : '';
+        bugs.push({
+          type:     'security_npm_vulnerability',
+          package:  name,
+          severity: sev === 'critical' || sev === 'high' ? 'critical' : 'warning',
+          message:  `npm vulnerability in "${name}"${via ? ` via ${via}` : ''} (${sev}) — run \`npm audit fix\` to resolve`,
+          via,
+        });
+      }
+
+      // Deduplicate by package name (advisories-style reports can have duplicates).
+      const seen = new Set();
+      resolve(bugs.filter(b => { if (seen.has(b.package)) return false; seen.add(b.package); return true; }));
+    });
+  });
+}

package/src/utils/theme-analyzer.js

@@ -1,5 +1,5 @@
 /**
- * ARGUS Theme Analyzer (Sprint 1 — A7: Theme & Dark Mode)
+ * ARGUS Theme Analyzer (A7: Theme & Dark Mode)
  *
  * Detects dark mode support gaps and theme consistency issues by:
  *   1. Scanning all stylesheets for @media (prefers-color-scheme: dark) rules

package/src/utils/visual-diff-analyzer.js

@@ -1,5 +1,5 @@
 /**
- * ARGUS Visual Regression Analyzer (Sprint 3 — A8)
+ * ARGUS Visual Regression Analyzer (A8)
  *
  * Per-route visual regression detection via screenshot baseline comparison.
  * Takes a PNG screenshot, compares it pixel-by-pixel against a stored baseline,

package/src/utils/web-vitals-analyzer.js

@@ -1,5 +1,5 @@
 /**
- * ARGUS Web Vitals Analyzer (Sprint 9 — Advanced Performance Metrics)
+ * ARGUS Web Vitals Analyzer (Advanced Performance Metrics)
  *
  * Captures Core Web Vitals and performance metrics directly via the browser
  * Performance API. Unlike Lighthouse, this works in headless Chrome — metrics