cerber-core 1.1.6 → 1.1.8

package/team/templates/BACKEND_SCHEMA.ts.tpl

@@ -1,50 +1,87 @@
-/**
- * ⚠️  CERBER TEMPLATE (NOT SOURCE OF TRUTH)
- * 
- * This file is a starting point. Edit it to match YOUR architecture.
- * The source of truth is CERBER.md.
- * 
- * Generated by: npx cerber init
- * Project: {{PROJECT_NAME}}
- * 
- * See: https://github.com/Agaslez/cerber-core#guardian-configuration
- */
-
-export const BACKEND_SCHEMA = {
-  version: "1.0.0",
-  
-  // Your architecture rules (customize)
-  rules: [],
-  
-  // Patterns that should never appear in your code
-  forbiddenPatterns: [
-    // Uncomment and customize based on your tech stack:
-    // {
-    //   pattern: "password\\s*=\\s*['\"][^'\"]+['\"]",
-    //   flags: "i",
-    //   name: "Hardcoded passwords",
-    //   severity: "error"
-    // },
-    // {
-    //   pattern: "api[_-]?key\\s*=\\s*['\"][^'\"]+['\"]",
-    //   flags: "i",
-    //   name: "Hardcoded API keys",
-    //   severity: "error"
-    // }
-  ]
-};
-
-export default BACKEND_SCHEMA;
-
-/**
- * 💡 Next Steps:
- * 
- * 1. Define your project structure in CERBER.md (single source of truth)
- * 2. Add forbiddenPatterns for your tech stack
- * 3. Add requiredImports rules for your architecture layers
- * 4. Test with: npx cerber-guardian
- * 
- * Full examples:
- * - node_modules/cerber-core/examples/backend-schema.ts
- * - node_modules/cerber-core/examples/frontend-schema.ts
- */
+/**
+ * ⚠️  CERBER TEMPLATE (NOT SOURCE OF TRUTH)
+ * 
+ * This file is a starting point. Edit it to match YOUR architecture.
+ * The source of truth is CERBER.md.
+ * 
+ * Generated by: npx cerber init
+ * Project: {{PROJECT_NAME}}
+ * 
+ * See: https://github.com/Agaslez/cerber-core#guardian-configuration
+ */
+
+export const BACKEND_SCHEMA = {
+  version: "1.0.0",
+  
+  // Your architecture rules (customize)
+  rules: [],
+  
+  // Patterns that should never appear in your code
+  forbiddenPatterns: [
+    // ──────────────────────────────────────────────────────────────────────
+    // 🔐 SECURITY BASELINE (Uncomment and adapt to your CERBER.md contract)
+    // ──────────────────────────────────────────────────────────────────────
+    
+    // Hardcoded secrets (common examples - adapt to your stack):
+    // {
+    //   pattern: "password\\s*=\\s*['\"][^'\"]+['\"]"  ,
+    //   flags: "i",
+    //   name: "Hardcoded passwords (e.g., password='admin123')",
+    //   severity: "error"
+    // },
+    // {
+    //   pattern: "api[_-]?key\\s*=\\s*['\"][^'\"]+['\"]"  ,
+    //   flags: "i",
+    //   name: "Hardcoded API keys (e.g., API_KEY='xyz')",
+    //   severity: "error"
+    // },
+    // {
+    //   pattern: "JWT_SECRET\\s*=\\s*['\"][^'\"]+['\"]"  ,
+    //   flags: "i",
+    //   name: "Hardcoded JWT secrets",
+    //   severity: "error"
+    // },
+    
+    // Development artifacts (should not reach production):
+    // {
+    //   pattern: "console\\.log\\(",
+    //   flags: "g",
+    //   name: "console.log (use proper logging)",
+    //   severity: "warning"
+    // },
+    // {
+    //   pattern: "debugger;",
+    //   flags: "g",
+    //   name: "debugger statement",
+    //   severity: "warning"
+    // },
+    
+    // TODOs that should be resolved before commit:
+    // {
+    //   pattern: "TODO_REMOVE|FIXME_REMOVE",
+    //   flags: "i",
+    //   name: "Unresolved critical TODOs",
+    //   severity: "error"
+    // },
+    
+    // ──────────────────────────────────────────────────────────────────────
+    // ⚠️  IMPORTANT: Uncomment patterns that match rules in your CERBER.md
+    // Never invent rules. Only translate what's documented in your contract.
+    // ──────────────────────────────────────────────────────────────────────
+  ]
+};
+
+export default BACKEND_SCHEMA;
+
+/**
+ * 💡 Next Steps:
+ * 
+ * 1. Define your project structure in CERBER.md (single source of truth)
+ * 2. Add forbiddenPatterns for your tech stack
+ * 3. Add requiredImports rules for your architecture layers
+ * 4. Test with: npx cerber-guardian
+ * 
+ * Full examples:
+ * - node_modules/cerber-core/examples/backend-schema.ts
+ * - node_modules/cerber-core/examples/frontend-schema.ts
+ */

package/team/templates/CODEOWNERS.tpl

@@ -1,6 +1,18 @@
-# Generated by Cerber init
-
-/CERBER.md {{OWNERS}}
-/{{SCHEMA_FILE}} {{OWNERS}}
-/.github/workflows/cerber.yml {{OWNERS}}
-/scripts/cerber-guardian.mjs {{OWNERS}}
+# Generated by Cerber init
+# Protected Cerber assets - require owner approval for changes
+
+# Core contract and schema
+/CERBER.md {{OWNERS}}
+/{{SCHEMA_FILE}} {{OWNERS}}
+/BACKEND_SCHEMA.* {{OWNERS}}
+
+# CI/CD enforcement
+/.github/workflows/cerber.yml {{OWNERS}}
+
+# Pre-commit guardian
+/scripts/cerber-guardian.mjs {{OWNERS}}
+/.husky/pre-commit {{OWNERS}}
+
+# Ownership meta-file (self-protection)
+/.github/CODEOWNERS {{OWNERS}}
+

package/team/templates/cerber-guardian.mjs.tpl

@@ -1,148 +1,255 @@
-#!/usr/bin/env node
-// Generated by Cerber init - DO NOT EDIT MANUALLY
-// To regenerate: npx cerber init --force
-
-import { execSync } from 'child_process';
-import fs from 'fs';
-import { join } from 'path';
-
-const SCHEMA_FILE = '{{SCHEMA_FILE}}';
-const APPROVALS_TAG = '{{APPROVALS_TAG}}';
-
-async function main() {
-  console.log('🛡️  Cerber Guardian: Validating staged files...');
-
-  if (!fs.existsSync(SCHEMA_FILE)) {
-    console.error(`❌ Schema file not found: ${SCHEMA_FILE}`);
-    console.error('Create your schema file to enable validation.');
-    console.error(`Example: npx cerber init --print-schema-template > ${SCHEMA_FILE}`);
-    process.exit(1);
-  }
-
-  // Import schema
-  let schema;
-  try {
-    const schemaPath = join(process.cwd(), SCHEMA_FILE);
-    const schemaModule = await import(`file://${schemaPath}`);
-    schema = schemaModule.BACKEND_SCHEMA || schemaModule.default || schemaModule;
-  } catch (err) {
-    console.error(`❌ Failed to load schema from ${SCHEMA_FILE}:`, err.message);
-    process.exit(1);
-  }
-
-  // Get staged files
-  let stagedFiles;
-  try {
-    stagedFiles = execSync('git diff --cached --name-only', { encoding: 'utf-8' })
-      .trim()
-      .split('\n')
-      .filter(Boolean);
-  } catch (err) {
-    console.error('❌ Failed to get staged files');
-    process.exit(1);
-  }
-
-  if (stagedFiles.length === 0) {
-    console.log('✅ No files staged for commit');
-    return;
-  }
-
-  console.log(`Checking ${stagedFiles.length} file(s)...`);
-
-  const violations = [];
-
-  // Validate each staged file
-  for (const file of stagedFiles) {
-    if (!fs.existsSync(file)) continue;
-
-    const content = fs.readFileSync(file, 'utf-8');
-
-    // Check forbidden patterns
-    if (schema.forbiddenPatterns && Array.isArray(schema.forbiddenPatterns)) {
-      for (const rule of schema.forbiddenPatterns) {
-        if (!rule.pattern) continue;
-
-        const pattern = typeof rule.pattern === 'string' 
-          ? new RegExp(rule.pattern, rule.flags || 'i') 
-          : rule.pattern;
-        
-        // Check if file is in exceptions
-        if (rule.exceptions && rule.exceptions.some(ex => file.includes(ex))) {
-          continue;
-        }
-
-        if (pattern.test(content)) {
-          // Check for architect approval
-          const hasApproval = content.includes(APPROVALS_TAG);
-          
-          if (!hasApproval) {
-            violations.push({
-              file,
-              rule: rule.name || 'Unnamed rule',
-              severity: rule.severity || 'error'
-            });
-          }
-        }
-      }
-    }
-
-    // Check required imports (rules)
-    if (schema.rules && Array.isArray(schema.rules)) {
-      for (const rule of schema.rules) {
-        if (!rule.pattern || !rule.requiredImports) continue;
-
-        const filePattern = typeof rule.pattern === 'string' ? new RegExp(rule.pattern) : rule.pattern;
-        
-        if (!filePattern.test(file)) continue;
-
-        // Check if file is in exceptions
-        if (rule.exceptions && rule.exceptions.some(ex => file.includes(ex))) {
-          continue;
-        }
-
-        // Check each required import
-        for (const requiredImport of rule.requiredImports) {
-          const importPattern = new RegExp(`import.*${requiredImport}`, 'i');
-          
-          if (!importPattern.test(content)) {
-            // Check for architect approval
-            const hasApproval = content.includes(APPROVALS_TAG);
-            
-            if (!hasApproval) {
-              violations.push({
-                file,
-                rule: `${rule.name || 'Unnamed rule'}: missing import '${requiredImport}'`,
-                severity: rule.severity || 'error'
-              });
-            }
-          }
-        }
-      }
-    }
-  }
-
-  // Report violations
-  if (violations.length > 0) {
-    console.error('\n❌ Architecture violations detected:\n');
-    
-    for (const v of violations) {
-      const icon = v.severity === 'error' ? '🔴' : '⚠️';
-      console.error(`${icon} [${v.severity.toUpperCase()}] ${v.file}`);
-      console.error(`   ${v.rule}`);
-      console.error(`   Add ${APPROVALS_TAG} comment to override\n`);
-    }
-    
-    const errorCount = violations.filter(v => v.severity === 'error').length;
-    if (errorCount > 0) {
-      console.error(`\n❌ Commit blocked: ${errorCount} error(s) found`);
-      process.exit(1);
-    }
-  }
-
-  console.log('✅ All checks passed');
-}
-
-main().catch(err => {
-  console.error('❌ Guardian check failed:', err?.message || err);
-  process.exit(1);
-});
+#!/usr/bin/env node
+// Generated by Cerber init - DO NOT EDIT MANUALLY
+// To regenerate: npx cerber init --force
+
+import { execSync } from 'child_process';
+import fs from 'fs';
+import { join } from 'path';
+
+const APPROVALS_TAG = '{{APPROVALS_TAG}}';
+
+function readYamlValue(text, key) {
+  const re = new RegExp(`^\\s*${key}\\s*:\\s*(.*)\\s*$`, "m");
+  const m = text.match(re);
+  if (!m) return "";
+  let v = (m[1] ?? "").trim();
+
+  // Remove quotes
+  v = v.replace(/^["']/,"").replace(/["']$/,"");
+  return v.trim();
+}
+
+function parseOverride(cerberContent) {
+  const enabledRaw = readYamlValue(cerberContent, "enabled");
+  const enabled = enabledRaw.toLowerCase() === "true";
+
+  const reason = readYamlValue(cerberContent, "reason");
+  const expiresRaw = readYamlValue(cerberContent, "expires");
+  const approvedBy = readYamlValue(cerberContent, "approvedBy");
+
+  if (!enabled) return { state: "DISABLED", reason, expires: expiresRaw, approvedBy };
+
+  if (!expiresRaw) return { state: "ACTIVE", reason, expires: "", approvedBy };
+
+  const expiresDate = new Date(expiresRaw);
+  if (Number.isNaN(expiresDate.getTime())) {
+    return { state: "INVALID", reason, expires: expiresRaw, approvedBy };
+  }
+
+  if (expiresDate.getTime() < Date.now()) {
+    return { state: "EXPIRED", reason, expires: expiresRaw, approvedBy };
+  }
+
+  return { state: "ACTIVE", reason, expires: expiresRaw, approvedBy };
+}
+
+async function main() {
+  console.log('🛡️  Cerber Guardian: Validating staged files...');
+
+  // Check for emergency override
+  const cerberMdPath = join(process.cwd(), 'CERBER.md');
+  if (fs.existsSync(cerberMdPath)) {
+    const cerberContent = fs.readFileSync(cerberMdPath, 'utf-8');
+    const overrideMatch = cerberContent.match(/CERBER_OVERRIDE:\s*\n\s*enabled:\s*(true|false)/);
+    
+    if (overrideMatch && overrideMatch[1] === 'true') {
+      const override = parseOverride(cerberContent);
+      const { state, reason, expires, approvedBy } = override;
+      
+      if (state === 'ACTIVE') {
+        // Override ACTIVE - allow commit with warning
+        console.log('');
+        console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
+        console.log('⚠️  CERBER EMERGENCY OVERRIDE ACTIVE');
+        console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
+        console.log('');
+        console.log(`Status:      ACTIVE`);
+        console.log(`Reason:      ${reason}`);
+        console.log(`Expires:     ${expires}`);
+        console.log(`Approved By: ${approvedBy}`);
+        console.log('');
+        console.log('Guardian checks: BYPASSED WITH WARNING');
+        console.log('Self-protection: STILL ACTIVE (cerber-integrity runs)');
+        console.log('');
+        console.log('⚠️  Create follow-up PR to fix properly + disable override');
+        console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
+        console.log('');
+        process.exit(0);  // Allow commit
+      } else if (state === 'EXPIRED') {
+        console.log('⚠️  Override expired - proceeding with normal validation');
+      } else {
+        console.log('⚠️  Override invalid (missing required fields) - proceeding with normal validation');
+      }
+    }
+  }
+
+  // Load schema from CERBER.md
+  if (!fs.existsSync(cerberMdPath)) {
+    console.error('❌ CERBER.md not found');
+    console.error('Run: npx cerber init');
+    process.exit(5);
+  }
+
+  const cerberContent = fs.readFileSync(cerberMdPath, 'utf-8');
+  
+  // Parse SCHEMA section
+  const schemaMatch = cerberContent.match(/SCHEMA:\s*\n\s*mode:\s*(\w+)/);
+  if (!schemaMatch) {
+    console.error('❌ SCHEMA section not found in CERBER.md');
+    console.error('Add SCHEMA section with mode: required or mode: disabled');
+    process.exit(5);
+  }
+
+  const schemaMode = schemaMatch[1];
+  if (schemaMode === 'disabled') {
+    console.log('⚠️  Schema validation disabled (SCHEMA.mode: disabled)');
+    console.log('✅ Bypassing validation');
+    return;
+  }
+
+  // Extract forbidden patterns
+  const forbiddenPatterns = [];
+  const patternsMatch = cerberContent.match(/forbiddenPatterns:\s*\n([\s\S]*?)(?=\n\w|\nSCHEMA:|$)/);
+  if (patternsMatch) {
+    const patternLines = patternsMatch[1].match(/- "([^"]+)"/g);
+    if (patternLines) {
+      patternLines.forEach(line => {
+        const pattern = line.match(/- "([^"]+)"/)?.[1];
+        if (pattern) {
+          forbiddenPatterns.push({
+            pattern: pattern,
+            name: `Forbidden: ${pattern}`,
+            severity: 'error'
+          });
+        }
+      });
+    }
+  }
+
+  if (schemaMode === 'required' && forbiddenPatterns.length === 0) {
+    console.error('❌ SCHEMA.mode: required but no rules defined');
+    console.error('Add forbiddenPatterns to SCHEMA section in CERBER.md');
+    process.exit(5);
+  }
+
+  const schema = {
+    forbiddenPatterns: forbiddenPatterns,
+    rules: []
+  };
+
+  // Get staged files
+  let stagedFiles;
+  try {
+    stagedFiles = execSync('git diff --cached --name-only', { encoding: 'utf-8' })
+      .trim()
+      .split('\n')
+      .filter(Boolean);
+  } catch (err) {
+    console.error('❌ Failed to get staged files');
+    process.exit(1);
+  }
+
+  if (stagedFiles.length === 0) {
+    console.log('✅ No files staged for commit');
+    return;
+  }
+
+  console.log(`Checking ${stagedFiles.length} file(s)...`);
+
+  const violations = [];
+
+  // Validate each staged file
+  for (const file of stagedFiles) {
+    if (!fs.existsSync(file)) continue;
+
+    const content = fs.readFileSync(file, 'utf-8');
+
+    // Check forbidden patterns
+    if (schema.forbiddenPatterns && Array.isArray(schema.forbiddenPatterns)) {
+      for (const rule of schema.forbiddenPatterns) {
+        if (!rule.pattern) continue;
+
+        const pattern = typeof rule.pattern === 'string' 
+          ? new RegExp(rule.pattern, rule.flags || 'i') 
+          : rule.pattern;
+        
+        // Check if file is in exceptions
+        if (rule.exceptions && rule.exceptions.some(ex => file.includes(ex))) {
+          continue;
+        }
+
+        if (pattern.test(content)) {
+          // Check for architect approval
+          const hasApproval = content.includes(APPROVALS_TAG);
+          
+          if (!hasApproval) {
+            violations.push({
+              file,
+              rule: rule.name || 'Unnamed rule',
+              severity: rule.severity || 'error'
+            });
+          }
+        }
+      }
+    }
+
+    // Check required imports (rules)
+    if (schema.rules && Array.isArray(schema.rules)) {
+      for (const rule of schema.rules) {
+        if (!rule.pattern || !rule.requiredImports) continue;
+
+        const filePattern = typeof rule.pattern === 'string' ? new RegExp(rule.pattern) : rule.pattern;
+        
+        if (!filePattern.test(file)) continue;
+
+        // Check if file is in exceptions
+        if (rule.exceptions && rule.exceptions.some(ex => file.includes(ex))) {
+          continue;
+        }
+
+        // Check each required import
+        for (const requiredImport of rule.requiredImports) {
+          const importPattern = new RegExp(`import.*${requiredImport}`, 'i');
+          
+          if (!importPattern.test(content)) {
+            // Check for architect approval
+            const hasApproval = content.includes(APPROVALS_TAG);
+            
+            if (!hasApproval) {
+              violations.push({
+                file,
+                rule: `${rule.name || 'Unnamed rule'}: missing import '${requiredImport}'`,
+                severity: rule.severity || 'error'
+              });
+            }
+          }
+        }
+      }
+    }
+  }
+
+  // Report violations
+  if (violations.length > 0) {
+    console.error('\n❌ Architecture violations detected:\n');
+    
+    for (const v of violations) {
+      const icon = v.severity === 'error' ? '🔴' : '⚠️';
+      console.error(`${icon} [${v.severity.toUpperCase()}] ${v.file}`);
+      console.error(`   ${v.rule}`);
+      console.error(`   Add ${APPROVALS_TAG} comment to override\n`);
+    }
+    
+    const errorCount = violations.filter(v => v.severity === 'error').length;
+    if (errorCount > 0) {
+      console.error(`\n❌ Commit blocked: ${errorCount} error(s) found`);
+      process.exit(1);
+    }
+  }
+
+  console.log('✅ All checks passed');
+}
+
+main().catch(err => {
+  console.error('❌ Guardian check failed:', err?.message || err);
+  process.exit(1);
+});