claude-dev-env 1.0.0

package/hooks/validators/security_checks.py

@@ -0,0 +1,135 @@
+"""Security vulnerability detection validator.
+
+Implements:
+- Check 27: Hardcoded secrets (API keys, passwords, tokens)
+- Check 28: SQL injection risk (f-strings/format in SQL)
+- Check 29: XSS risk (mark_safe without sanitization)
+"""
+
+import ast
+import re
+import sys
+from pathlib import Path
+from typing import List
+
+from validator_base import Violation
+
+
+SECRET_PATTERNS: frozenset[str] = frozenset({
+    "api_key", "apikey", "api-key",
+    "password", "passwd", "pwd",
+    "secret", "token", "auth",
+    "private_key", "privatekey",
+    "credential", "credentials",
+})
+
+SQL_EXECUTE_PATTERN = re.compile(r"\.execute\s*\(\s*f['\"]|\.execute\s*\([^)]*\.format\(", re.IGNORECASE)
+
+
+def check_hardcoded_secrets(tree: ast.AST, filename: str) -> List[Violation]:
+    violations: List[Violation] = []
+
+    for node in ast.walk(tree):
+        if isinstance(node, ast.Assign):
+            for target in node.targets:
+                if isinstance(target, ast.Name):
+                    var_name = target.id.lower()
+                    if any(pattern in var_name for pattern in SECRET_PATTERNS):
+                        if isinstance(node.value, ast.Constant) and isinstance(node.value.value, str):
+                            if len(node.value.value) > 3:
+                                violations.append(
+                                    Violation(
+                                        filename,
+                                        node.lineno,
+                                        f"Hardcoded secret in '{target.id}' - use environment variable",
+                                    )
+                                )
+
+    return violations
+
+
+def check_sql_injection(source: str, filename: str) -> List[Violation]:
+    violations: List[Violation] = []
+    lines = source.splitlines()
+
+    for line_num, line in enumerate(lines, start=1):
+        if SQL_EXECUTE_PATTERN.search(line):
+            violations.append(
+                Violation(
+                    filename,
+                    line_num,
+                    "SQL injection risk - use parameterized queries instead of f-string/format",
+                )
+            )
+
+    return violations
+
+
+def check_xss_risk(tree: ast.AST, filename: str) -> List[Violation]:
+    violations: List[Violation] = []
+
+    for node in ast.walk(tree):
+        if isinstance(node, ast.Call):
+            if isinstance(node.func, ast.Name) and node.func.id == "mark_safe":
+                violations.append(
+                    Violation(
+                        filename,
+                        node.lineno,
+                        "XSS risk - mark_safe() on user input is dangerous",
+                    )
+                )
+            elif isinstance(node.func, ast.Attribute) and node.func.attr == "mark_safe":
+                violations.append(
+                    Violation(
+                        filename,
+                        node.lineno,
+                        "XSS risk - mark_safe() on user input is dangerous",
+                    )
+                )
+
+    return violations
+
+
+def validate_file(file_path: Path) -> List[Violation]:
+    violations: List[Violation] = []
+    filename = str(file_path)
+
+    try:
+        source = file_path.read_text(encoding="utf-8")
+    except Exception as error:
+        return [Violation(filename, 0, f"Error reading file: {error}")]
+
+    try:
+        tree = ast.parse(source)
+    except SyntaxError as error:
+        return [Violation(filename, error.lineno or 0, f"Syntax error: {error.msg}")]
+
+    violations.extend(check_hardcoded_secrets(tree, filename))
+    violations.extend(check_sql_injection(source, filename))
+    violations.extend(check_xss_risk(tree, filename))
+
+    return violations
+
+
+def main() -> int:
+    if len(sys.argv) < 2:
+        print("Usage: security_checks.py <file1.py> [file2.py ...]", file=sys.stderr)
+        return 1
+
+    all_violations: List[Violation] = []
+
+    for file_arg in sys.argv[1:]:
+        file_path = Path(file_arg)
+        if not file_path.exists():
+            print(f"Error: File not found: {file_path}", file=sys.stderr)
+            return 1
+        all_violations.extend(validate_file(file_path))
+
+    for violation in all_violations:
+        print(violation)
+
+    return 1 if all_violations else 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())

package/hooks/validators/test_abbreviation_checks.py

@@ -0,0 +1,76 @@
+"""Tests for abbreviation detection."""
+
+import ast
+from pathlib import Path
+
+import pytest
+
+from abbreviation_checks import (
+    check_single_letter_variables,
+    validate_file,
+)
+from validator_base import Violation
+
+
+GOOD_DESCRIPTIVE_NAMES = '''
+def process_data(items):
+    item_data = get_item()
+    for file_path in files:
+        result = process(file_path)
+    return [item for item in items if item.active]
+'''
+
+BAD_SINGLE_LETTER_ASSIGNMENT = '''
+def process():
+    t = get_item()
+    return t
+'''
+
+BAD_SINGLE_LETTER_LOOP = '''
+def process(files):
+    for f in files:
+        print(f)
+'''
+
+BAD_SINGLE_LETTER_COMPREHENSION = '''
+def process(items):
+    return [x for x in items if x.active]
+'''
+
+ALLOWED_LOOP_COUNTERS = '''
+def process(matrix):
+    for i in range(10):
+        for j in range(10):
+            for k in range(10):
+                matrix[i][j][k] = 0
+'''
+
+
+class TestSingleLetterVariables:
+    def test_descriptive_names_pass(self) -> None:
+        tree = ast.parse(GOOD_DESCRIPTIVE_NAMES)
+        violations = check_single_letter_variables(tree, "test.py")
+        assert violations == []
+
+    def test_single_letter_assignment_fails(self) -> None:
+        tree = ast.parse(BAD_SINGLE_LETTER_ASSIGNMENT)
+        violations = check_single_letter_variables(tree, "test.py")
+        assert len(violations) == 1
+        assert "t" in violations[0].message
+
+    def test_single_letter_loop_variable_fails(self) -> None:
+        tree = ast.parse(BAD_SINGLE_LETTER_LOOP)
+        violations = check_single_letter_variables(tree, "test.py")
+        assert len(violations) == 1
+        assert "f" in violations[0].message
+
+    def test_single_letter_comprehension_fails(self) -> None:
+        tree = ast.parse(BAD_SINGLE_LETTER_COMPREHENSION)
+        violations = check_single_letter_variables(tree, "test.py")
+        assert len(violations) == 1
+        assert "x" in violations[0].message
+
+    def test_loop_counters_ijk_allowed(self) -> None:
+        tree = ast.parse(ALLOWED_LOOP_COUNTERS)
+        violations = check_single_letter_variables(tree, "test.py")
+        assert violations == []

package/hooks/validators/test_bad.tsx

@@ -0,0 +1,7 @@
+import { Component } from 'react';
+
+class BadComponent extends Component {
+    render() {
+        return <div>Bad</div>;
+    }
+}

package/hooks/validators/test_code_quality_checks.py

@@ -0,0 +1,129 @@
+"""Tests for code quality checks."""
+
+import ast
+import tempfile
+from pathlib import Path
+
+import pytest
+
+from code_quality_checks import (
+    check_function_length,
+    check_nesting_depth,
+    check_file_length,
+)
+from validator_base import Violation
+
+
+GOOD_SHORT_FUNCTION = '''
+def process(items):
+    result = []
+    for item in items:
+        if item.active:
+            result.append(item)
+    return result
+'''
+
+BAD_LONG_FUNCTION = '''
+def process(items):
+    line1 = 1
+    line2 = 2
+    line3 = 3
+    line4 = 4
+    line5 = 5
+    line6 = 6
+    line7 = 7
+    line8 = 8
+    line9 = 9
+    line10 = 10
+    line11 = 11
+    line12 = 12
+    line13 = 13
+    line14 = 14
+    line15 = 15
+    line16 = 16
+    line17 = 17
+    line18 = 18
+    line19 = 19
+    line20 = 20
+    line21 = 21
+    line22 = 22
+    line23 = 23
+    line24 = 24
+    line25 = 25
+    line26 = 26
+    line27 = 27
+    line28 = 28
+    line29 = 29
+    line30 = 30
+    line31 = 31
+    return line31
+'''
+
+GOOD_SHALLOW_NESTING = '''
+def process(items):
+    for item in items:
+        if item.active:
+            result.append(item)
+    return result
+'''
+
+BAD_DEEP_NESTING = '''
+def process(items):
+    for item in items:
+        if item.active:
+            if item.valid:
+                if item.enabled:
+                    result.append(item)
+    return result
+'''
+
+
+class TestFunctionLength:
+    def test_short_function_passes(self) -> None:
+        tree = ast.parse(GOOD_SHORT_FUNCTION)
+        violations = check_function_length(tree, "test.py")
+        assert violations == []
+
+    def test_long_function_fails(self) -> None:
+        tree = ast.parse(BAD_LONG_FUNCTION)
+        violations = check_function_length(tree, "test.py")
+        assert len(violations) == 1
+        assert "30" in violations[0].message or "lines" in violations[0].message.lower()
+
+
+class TestNestingDepth:
+    def test_shallow_nesting_passes(self) -> None:
+        tree = ast.parse(GOOD_SHALLOW_NESTING)
+        violations = check_nesting_depth(tree, "test.py")
+        assert violations == []
+
+    def test_deep_nesting_fails(self) -> None:
+        tree = ast.parse(BAD_DEEP_NESTING)
+        violations = check_nesting_depth(tree, "test.py")
+        assert len(violations) == 1
+        assert "nesting" in violations[0].message.lower()
+
+
+class TestFileLength:
+    def test_short_file_passes(self) -> None:
+        with tempfile.NamedTemporaryFile(mode="w", suffix=".py", delete=False) as temp_file:
+            temp_file.write("x = 1\n" * 100)
+            temp_path = Path(temp_file.name)
+
+        try:
+            violations = check_file_length(temp_path)
+            assert violations == []
+        finally:
+            temp_path.unlink()
+
+    def test_long_file_fails(self) -> None:
+        with tempfile.NamedTemporaryFile(mode="w", suffix=".py", delete=False) as temp_file:
+            temp_file.write("x = 1\n" * 450)
+            temp_path = Path(temp_file.name)
+
+        try:
+            violations = check_file_length(temp_path)
+            assert len(violations) == 1
+            assert "400" in violations[0].message or "lines" in violations[0].message.lower()
+        finally:
+            temp_path.unlink()

package/hooks/validators/test_file_structure_checks.py

@@ -0,0 +1,307 @@
+"""Tests for file structure validation checks."""
+
+import tempfile
+from pathlib import Path
+from typing import List
+
+import pytest
+
+from file_structure_checks import (
+    Violation,
+    check_multiple_requirements_txt,
+    check_empty_init_files,
+    main,
+)
+
+
+class TestMultipleRequirementsTxt:
+    """Test detection of multiple requirements.txt files."""
+
+    def test_single_requirements_txt_passes(self, tmp_path: Path) -> None:
+        """Single requirements.txt at root should pass."""
+        (tmp_path / "requirements.txt").write_text("pytest==7.4.0\n")
+
+        violations = check_multiple_requirements_txt(tmp_path)
+
+        assert violations == []
+
+    def test_multiple_requirements_txt_fails(self, tmp_path: Path) -> None:
+        """Multiple requirements.txt files should fail."""
+        (tmp_path / "requirements.txt").write_text("pytest==7.4.0\n")
+        tools_dir = tmp_path / "tools"
+        tools_dir.mkdir()
+        (tools_dir / "requirements.txt").write_text("requests==2.31.0\n")
+
+        violations = check_multiple_requirements_txt(tmp_path)
+
+        assert len(violations) == 1
+        assert "multiple requirements.txt" in violations[0].message.lower()
+        assert "tools/requirements.txt" in violations[0].message
+
+    def test_no_requirements_txt_passes(self, tmp_path: Path) -> None:
+        """No requirements.txt files should pass (not our concern)."""
+        violations = check_multiple_requirements_txt(tmp_path)
+
+        assert violations == []
+
+    def test_excludes_venv_directories(self, tmp_path: Path) -> None:
+        """Should ignore requirements.txt in venv/node_modules."""
+        (tmp_path / "requirements.txt").write_text("pytest==7.4.0\n")
+
+        venv_dir = tmp_path / ".venv" / "lib"
+        venv_dir.mkdir(parents=True)
+        (venv_dir / "requirements.txt").write_text("ignored")
+
+        node_dir = tmp_path / "node_modules" / "package"
+        node_dir.mkdir(parents=True)
+        (node_dir / "requirements.txt").write_text("ignored")
+
+        violations = check_multiple_requirements_txt(tmp_path)
+
+        assert violations == []
+
+    def test_three_requirements_files_reports_all(self, tmp_path: Path) -> None:
+        """Should report all extra requirements.txt files."""
+        (tmp_path / "requirements.txt").write_text("pytest==7.4.0\n")
+        (tmp_path / "tools").mkdir()
+        (tmp_path / "tools" / "requirements.txt").write_text("requests==2.31.0\n")
+        (tmp_path / "scripts").mkdir()
+        (tmp_path / "scripts" / "requirements.txt").write_text("pandas==2.0.0\n")
+
+        violations = check_multiple_requirements_txt(tmp_path)
+
+        assert len(violations) == 1
+        assert "tools/requirements.txt" in violations[0].message
+        assert "scripts/requirements.txt" in violations[0].message
+
+
+class TestEmptyInitFiles:
+    """Test detection of empty __init__.py files."""
+
+    def test_no_init_files_passes(self, tmp_path: Path) -> None:
+        """No __init__.py files should pass."""
+        violations = check_empty_init_files(tmp_path)
+
+        assert violations == []
+
+    def test_non_empty_init_passes(self, tmp_path: Path) -> None:
+        """__init__.py with content should pass."""
+        package_dir = tmp_path / "mypackage"
+        package_dir.mkdir()
+        (package_dir / "__init__.py").write_text("from .module import func\n")
+
+        violations = check_empty_init_files(tmp_path)
+
+        assert violations == []
+
+    def test_empty_init_fails(self, tmp_path: Path) -> None:
+        """Empty __init__.py should fail."""
+        package_dir = tmp_path / "mypackage"
+        package_dir.mkdir()
+        (package_dir / "__init__.py").write_text("")
+
+        violations = check_empty_init_files(tmp_path)
+
+        assert len(violations) == 1
+        assert violations[0].file == "mypackage/__init__.py"
+        assert violations[0].line == 1
+        assert "empty" in violations[0].message.lower()
+
+    def test_whitespace_only_init_fails(self, tmp_path: Path) -> None:
+        """__init__.py with only whitespace should fail."""
+        package_dir = tmp_path / "mypackage"
+        package_dir.mkdir()
+        (package_dir / "__init__.py").write_text("   \n\n  \t\n")
+
+        violations = check_empty_init_files(tmp_path)
+
+        assert len(violations) == 1
+        assert "empty" in violations[0].message.lower()
+
+    def test_multiple_empty_init_files(self, tmp_path: Path) -> None:
+        """Should detect all empty __init__.py files."""
+        (tmp_path / "pkg1").mkdir()
+        (tmp_path / "pkg1" / "__init__.py").write_text("")
+
+        (tmp_path / "pkg2").mkdir()
+        (tmp_path / "pkg2" / "__init__.py").write_text("  ")
+
+        (tmp_path / "pkg3").mkdir()
+        (tmp_path / "pkg3" / "__init__.py").write_text("# comment\n")
+
+        violations = check_empty_init_files(tmp_path)
+
+        assert len(violations) == 2
+        files = [v.file for v in violations]
+        assert "pkg1/__init__.py" in files
+        assert "pkg2/__init__.py" in files
+
+    def test_excludes_venv_directories(self, tmp_path: Path) -> None:
+        """Should ignore __init__.py in excluded directories."""
+        venv_dir = tmp_path / ".venv" / "lib" / "package"
+        venv_dir.mkdir(parents=True)
+        (venv_dir / "__init__.py").write_text("")
+
+        node_dir = tmp_path / "node_modules" / "package"
+        node_dir.mkdir(parents=True)
+        (node_dir / "__init__.py").write_text("")
+
+        violations = check_empty_init_files(tmp_path)
+
+        assert violations == []
+
+    def test_excludes_django_migrations_init(self, tmp_path: Path) -> None:
+        """Should ignore empty __init__.py in Django migrations directory."""
+        migrations_dir = tmp_path / "myapp" / "migrations"
+        migrations_dir.mkdir(parents=True)
+        (migrations_dir / "__init__.py").write_text("")
+
+        violations = check_empty_init_files(tmp_path)
+
+        assert violations == []
+
+    def test_excludes_django_management_init(self, tmp_path: Path) -> None:
+        """Should ignore empty __init__.py in Django management directory."""
+        mgmt_dir = tmp_path / "myapp" / "management"
+        mgmt_dir.mkdir(parents=True)
+        (mgmt_dir / "__init__.py").write_text("")
+
+        violations = check_empty_init_files(tmp_path)
+
+        assert violations == []
+
+    def test_excludes_django_commands_init(self, tmp_path: Path) -> None:
+        """Should ignore empty __init__.py in Django commands directory."""
+        cmd_dir = tmp_path / "myapp" / "management" / "commands"
+        cmd_dir.mkdir(parents=True)
+        (cmd_dir / "__init__.py").write_text("")
+
+        violations = check_empty_init_files(tmp_path)
+
+        assert violations == []
+
+    def test_excludes_django_templatetags_init(self, tmp_path: Path) -> None:
+        """Should ignore empty __init__.py in Django templatetags directory."""
+        tags_dir = tmp_path / "myapp" / "templatetags"
+        tags_dir.mkdir(parents=True)
+        (tags_dir / "__init__.py").write_text("")
+
+        violations = check_empty_init_files(tmp_path)
+
+        assert violations == []
+
+    def test_still_catches_non_django_empty_init(self, tmp_path: Path) -> None:
+        """Should still catch empty __init__.py in non-Django directories."""
+        # Django directory - should be skipped
+        migrations_dir = tmp_path / "myapp" / "migrations"
+        migrations_dir.mkdir(parents=True)
+        (migrations_dir / "__init__.py").write_text("")
+
+        # Non-Django directory - should be caught
+        utils_dir = tmp_path / "myapp" / "utils"
+        utils_dir.mkdir(parents=True)
+        (utils_dir / "__init__.py").write_text("")
+
+        violations = check_empty_init_files(tmp_path)
+
+        assert len(violations) == 1
+        assert "utils/__init__.py" in violations[0].file
+
+    def test_excludes_django_app_with_models(self, tmp_path: Path) -> None:
+        """Should ignore empty __init__.py in Django app directory with models.py."""
+        app_dir = tmp_path / "myapp"
+        app_dir.mkdir()
+        (app_dir / "__init__.py").write_text("")
+        (app_dir / "models.py").write_text("from django.db import models\n")
+
+        violations = check_empty_init_files(tmp_path)
+
+        assert violations == []
+
+    def test_excludes_django_app_with_views(self, tmp_path: Path) -> None:
+        """Should ignore empty __init__.py in Django app directory with views.py."""
+        app_dir = tmp_path / "myapp"
+        app_dir.mkdir()
+        (app_dir / "__init__.py").write_text("")
+        (app_dir / "views.py").write_text("from django.http import HttpResponse\n")
+
+        violations = check_empty_init_files(tmp_path)
+
+        assert violations == []
+
+    def test_excludes_django_app_with_apps(self, tmp_path: Path) -> None:
+        """Should ignore empty __init__.py in Django app directory with apps.py."""
+        app_dir = tmp_path / "myapp"
+        app_dir.mkdir()
+        (app_dir / "__init__.py").write_text("")
+        (app_dir / "apps.py").write_text("from django.apps import AppConfig\n")
+
+        violations = check_empty_init_files(tmp_path)
+
+        assert violations == []
+
+    def test_excludes_django_settings_module(self, tmp_path: Path) -> None:
+        """Should ignore empty __init__.py in Django settings module."""
+        settings_dir = tmp_path / "myproject"
+        settings_dir.mkdir()
+        (settings_dir / "__init__.py").write_text("")
+        (settings_dir / "settings.py").write_text("DEBUG = True\n")
+
+        violations = check_empty_init_files(tmp_path)
+
+        assert violations == []
+
+
+class TestMain:
+    """Test main function integration."""
+
+    def test_main_no_violations_exits_zero(self, tmp_path: Path, capsys) -> None:
+        """main() should exit 0 when no violations found."""
+        (tmp_path / "requirements.txt").write_text("pytest==7.4.0\n")
+
+        with pytest.raises(SystemExit) as exc_info:
+            main([str(tmp_path)])
+
+        assert exc_info.value.code == 0
+        captured = capsys.readouterr()
+        assert captured.out == ""
+
+    def test_main_with_violations_exits_one(self, tmp_path: Path, capsys) -> None:
+        """main() should exit 1 and print violations when found."""
+        package_dir = tmp_path / "mypackage"
+        package_dir.mkdir()
+        (package_dir / "__init__.py").write_text("")
+
+        with pytest.raises(SystemExit) as exc_info:
+            main([str(tmp_path)])
+
+        assert exc_info.value.code == 1
+        captured = capsys.readouterr()
+        assert "mypackage/__init__.py:1:" in captured.out
+        assert "empty" in captured.out.lower()
+
+    def test_main_prints_all_violations(self, tmp_path: Path, capsys) -> None:
+        """main() should print all violations in file:line: format."""
+        (tmp_path / "requirements.txt").write_text("pytest==7.4.0\n")
+        (tmp_path / "tools").mkdir()
+        (tmp_path / "tools" / "requirements.txt").write_text("requests==2.31.0\n")
+
+        (tmp_path / "pkg").mkdir()
+        (tmp_path / "pkg" / "__init__.py").write_text("")
+
+        with pytest.raises(SystemExit) as exc_info:
+            main([str(tmp_path)])
+
+        assert exc_info.value.code == 1
+        captured = capsys.readouterr()
+        assert "requirements.txt:1:" in captured.out
+        assert "pkg/__init__.py:1:" in captured.out
+
+    def test_main_requires_project_root_arg(self, capsys) -> None:
+        """main() should exit 1 if no project root provided."""
+        with pytest.raises(SystemExit) as exc_info:
+            main([])
+
+        assert exc_info.value.code == 1
+        captured = capsys.readouterr()
+        assert "usage" in captured.out.lower()

package/hooks/validators/test_files/01_basic_component.tsx

@@ -0,0 +1,10 @@
+// TEST: Basic class component (SHOULD BE CAUGHT)
+import React from 'react';
+
+class MyComponent extends React.Component {
+  render() {
+    return <div>Hello</div>;
+  }
+}
+
+export default MyComponent;

package/hooks/validators/test_files/02_component_without_react.tsx

@@ -0,0 +1,10 @@
+// TEST: Class component extending Component without React prefix (SHOULD BE CAUGHT)
+import { Component } from 'react';
+
+class MyComponent extends Component {
+  render() {
+    return <div>Hello</div>;
+  }
+}
+
+export default MyComponent;

package/hooks/validators/test_files/03_pure_component.tsx

@@ -0,0 +1,10 @@
+// TEST: PureComponent (SHOULD BE CAUGHT but might not be)
+import React from 'react';
+
+class MyComponent extends React.PureComponent {
+  render() {
+    return <div>Hello</div>;
+  }
+}
+
+export default MyComponent;