code-sentinel-mcp 0.2.4 → 0.2.6

package/build/patterns/builders.d.ts

@@ -0,0 +1,20 @@
+import { MatchConfig, EmptyBlockConfig, FunctionCallConfig, ReturnsOnlyConfig, ContainsTextConfig, FallbackValueConfig, AssignmentPatternConfig, ChainedAccessConfig, CatchHandlerConfig, PromiseCatchConfig, CommentMarkerConfig, StringLiteralConfig, SecretPatternConfig, UrlPatternConfig, SuppressionCommentConfig, TypeCastConfig, ComparisonConfig, LoopPatternConfig, RawRegexConfig } from './types.js';
+export declare function buildEmptyBlock(config: EmptyBlockConfig): RegExp[];
+export declare function buildFunctionCall(config: FunctionCallConfig): RegExp[];
+export declare function buildReturnsOnly(config: ReturnsOnlyConfig): RegExp[];
+export declare function buildContainsText(config: ContainsTextConfig): RegExp[];
+export declare function buildFallbackValue(config: FallbackValueConfig): RegExp[];
+export declare function buildAssignmentPattern(config: AssignmentPatternConfig): RegExp[];
+export declare function buildChainedAccess(config: ChainedAccessConfig): RegExp[];
+export declare function buildCatchHandler(config: CatchHandlerConfig): RegExp[];
+export declare function buildPromiseCatch(config: PromiseCatchConfig): RegExp[];
+export declare function buildCommentMarker(config: CommentMarkerConfig): RegExp[];
+export declare function buildStringLiteral(config: StringLiteralConfig): RegExp[];
+export declare function buildSecretPattern(config: SecretPatternConfig): RegExp[];
+export declare function buildUrlPattern(config: UrlPatternConfig): RegExp[];
+export declare function buildSuppressionComment(config: SuppressionCommentConfig): RegExp[];
+export declare function buildTypeCast(config: TypeCastConfig): RegExp[];
+export declare function buildComparison(config: ComparisonConfig): RegExp[];
+export declare function buildLoopPattern(config: LoopPatternConfig): RegExp[];
+export declare function buildRawRegex(config: RawRegexConfig): RegExp[];
+export declare function buildPattern(config: MatchConfig): RegExp[];

package/build/patterns/builders.js

@@ -0,0 +1,335 @@
+// Pattern builders - transform declarative configs into regex
+// Utility: escape special regex characters
+function escapeRegex(str) {
+    return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+// Utility: convert value shorthand to regex pattern
+function valueToPattern(value) {
+    const valueMap = {
+        '[]': '\\[\\s*\\]',
+        '{}': '\\{\\s*\\}',
+        'null': 'null',
+        'undefined': 'undefined',
+        'true': 'true',
+        'false': 'false',
+        '""': '["\']\\s*["\']',
+        "''": '["\']\\s*["\']',
+        '0': '0',
+        '-1': '-1',
+    };
+    return valueMap[value] || escapeRegex(value);
+}
+// Builder: Empty blocks (catch, finally, .catch, .then)
+export function buildEmptyBlock(config) {
+    const results = [];
+    for (const construct of config.constructs) {
+        if (construct === 'catch') {
+            // try-catch style: catch(e) { }
+            results.push(/catch\s*\([^)]*\)\s*\{\s*\}/g);
+            if (config.allowComments) {
+                results.push(/catch\s*\([^)]*\)\s*\{\s*\/\/[^\n]*\s*\}/g);
+                results.push(/catch\s*\([^)]*\)\s*\{\s*\/\*[\s\S]*?\*\/\s*\}/g);
+            }
+        }
+        if (construct === 'finally') {
+            results.push(/finally\s*\{\s*\}/g);
+        }
+        if (construct === '.catch') {
+            // Promise style: .catch(() => {})
+            results.push(/\.catch\s*\(\s*\(\s*\)\s*=>\s*\{\s*\}\s*\)/g);
+            results.push(/\.catch\s*\(\s*\w+\s*=>\s*\{\s*\}\s*\)/g);
+            results.push(/\.catch\s*\(\s*function\s*\([^)]*\)\s*\{\s*\}\s*\)/g);
+        }
+        if (construct === '.then') {
+            results.push(/\.then\s*\(\s*\(\s*\)\s*=>\s*\{\s*\}\s*\)/g);
+            results.push(/\.then\s*\(\s*\w+\s*=>\s*\{\s*\}\s*\)/g);
+        }
+        if (construct === '.finally') {
+            results.push(/\.finally\s*\(\s*\(\s*\)\s*=>\s*\{\s*\}\s*\)/g);
+        }
+    }
+    return results;
+}
+// Builder: Function calls
+export function buildFunctionCall(config) {
+    const results = [];
+    const escaped = config.names.map(n => escapeRegex(n));
+    const namesPattern = escaped.join('|');
+    // Direct call: eval(), Function()
+    results.push(new RegExp(`\\b(${namesPattern})\\s*\\(`, 'gi'));
+    // Method call: obj.eval() if enabled
+    if (config.methods) {
+        results.push(new RegExp(`\\.(${namesPattern})\\s*\\(`, 'gi'));
+    }
+    // Constructor: new Function() if enabled
+    if (config.constructors) {
+        results.push(new RegExp(`new\\s+(${namesPattern})\\s*\\(`, 'gi'));
+    }
+    return results;
+}
+// Builder: Return statements with specific values
+export function buildReturnsOnly(config) {
+    const results = [];
+    const valuePatterns = config.values.map(valueToPattern);
+    const valuesPattern = valuePatterns.join('|');
+    if (config.withComment && config.withComment.length > 0) {
+        // return value; // comment with specific words
+        const commentWords = config.withComment.join('|');
+        results.push(new RegExp(`return\\s+(${valuesPattern})\\s*;?\\s*\\/\\/\\s*(?:.*?)(${commentWords})`, 'gi'));
+    }
+    else {
+        // Just return value;
+        results.push(new RegExp(`return\\s+(${valuesPattern})\\s*;?`, 'gi'));
+    }
+    return results;
+}
+// Builder: Text search in context
+export function buildContainsText(config) {
+    const results = [];
+    const flags = config.caseInsensitive !== false ? 'gi' : 'g';
+    const termsPattern = config.terms.map(escapeRegex).join('|');
+    const context = config.context || 'any';
+    if (context === 'single_line_comment' || context === 'comment' || context === 'any') {
+        results.push(new RegExp(`\\/\\/.*?(${termsPattern})`, flags));
+    }
+    if (context === 'block_comment' || context === 'comment' || context === 'any') {
+        results.push(new RegExp(`\\/\\*[\\s\\S]*?(${termsPattern})[\\s\\S]*?\\*\\/`, flags));
+    }
+    if (context === 'string' || context === 'any') {
+        results.push(new RegExp(`(['"\`])[^'"\`]*(${termsPattern})[^'"\`]*\\1`, flags));
+    }
+    return results;
+}
+// Builder: Fallback values
+export function buildFallbackValue(config) {
+    const results = [];
+    const valuePatterns = config.values.map(valueToPattern);
+    const valuesPattern = valuePatterns.join('|');
+    for (const op of config.operators) {
+        const escapedOp = escapeRegex(op);
+        results.push(new RegExp(`${escapedOp}\\s*(${valuesPattern})`, 'g'));
+    }
+    return results;
+}
+// Builder: Assignment patterns
+export function buildAssignmentPattern(config) {
+    const results = [];
+    const keysPattern = config.keys.map(escapeRegex).join('|');
+    const operators = config.operators || ['=', ':'];
+    for (const op of operators) {
+        if (config.values && config.values.length > 0) {
+            const valuesPattern = config.values.map(escapeRegex).join('|');
+            results.push(new RegExp(`(?:${keysPattern})\\s*${escapeRegex(op)}\\s*['"\`]([^'"\`]*(?:${valuesPattern})[^'"\`]*)['"\`]`, 'gi'));
+        }
+        else {
+            results.push(new RegExp(`(?:${keysPattern})\\s*${escapeRegex(op)}\\s*['"\`][^'"\`]{8,}['"\`]`, 'gi'));
+        }
+    }
+    return results;
+}
+// Builder: Chained access
+export function buildChainedAccess(config) {
+    const op = config.operator === '?.' ? '\\?\\.' : '\\.';
+    const pattern = `(?:${op}\\w+){${config.minDepth},}`;
+    return [new RegExp(pattern, 'g')];
+}
+// Builder: Catch handlers
+export function buildCatchHandler(config) {
+    const results = [];
+    switch (config.behavior) {
+        case 'empty':
+            results.push(/catch\s*\([^)]*\)\s*\{\s*\}/g);
+            break;
+        case 'comment_only':
+            results.push(/catch\s*\([^)]*\)\s*\{\s*\/\/.*?\s*\}/gs);
+            results.push(/catch\s*\([^)]*\)\s*\{\s*\/\*[\s\S]*?\*\/\s*\}/g);
+            break;
+        case 'log_only':
+            results.push(/catch\s*\([^)]*\)\s*\{\s*(?:console\.log|print)\s*\([^)]*\)\s*;?\s*\}/g);
+            break;
+        case 'returns_value':
+            results.push(/catch\s*\([^)]*\)\s*\{[^}]*return\s+(?:null|undefined|false|true|''|""|\[\s*\]|\{\s*\})\s*;?\s*\}/g);
+            break;
+        case 'ignores_error':
+            results.push(/catch\s*\(\s*_\s*\)/g);
+            break;
+    }
+    return results;
+}
+// Builder: Promise catch
+export function buildPromiseCatch(config) {
+    const results = [];
+    switch (config.behavior) {
+        case 'empty':
+            results.push(/\.catch\s*\(\s*\(\s*\)\s*=>\s*\{\s*\}\s*\)/g);
+            results.push(/\.catch\s*\(\s*\w+\s*=>\s*\{\s*\}\s*\)/g);
+            break;
+        case 'returns_silent':
+            const values = config.silentValues || ['null', 'undefined', 'false', 'true', "''", '""'];
+            const valuesPattern = values.map(valueToPattern).join('|');
+            results.push(new RegExp(`\\.catch\\s*\\(\\s*\\(\\s*\\)\\s*=>\\s*(?:${valuesPattern})\\s*\\)`, 'g'));
+            break;
+        case 'ignores_param':
+            results.push(/\.catch\s*\(\s*_\s*=>\s*\{?\s*\}?\s*\)/g);
+            break;
+    }
+    return results;
+}
+// Builder: Comment markers
+export function buildCommentMarker(config) {
+    const results = [];
+    const markersPattern = config.markers.map(escapeRegex).join('|');
+    const style = config.style || 'any';
+    if (style === 'single' || style === 'any') {
+        results.push(new RegExp(`\\/\\/\\s*(${markersPattern})(?::|\\.|\\s).*$`, 'gim'));
+    }
+    if (style === 'block' || style === 'any') {
+        results.push(new RegExp(`\\/\\*[\\s\\S]*?(${markersPattern})[\\s\\S]*?\\*\\/`, 'gi'));
+    }
+    return results;
+}
+// Builder: String literals
+export function buildStringLiteral(config) {
+    const flags = config.caseInsensitive ? 'gi' : 'g';
+    const patternsJoined = config.patterns.map(escapeRegex).join('|');
+    return [new RegExp(`['"\`](?:[^'"\`]*)?(${patternsJoined})(?:[^'"\`]*)?['"\`]`, flags)];
+}
+// Builder: Secret patterns
+export function buildSecretPattern(config) {
+    const results = [];
+    switch (config.kind) {
+        case 'generic':
+            results.push(/(?:api[_-]?key|apikey|secret|password|passwd|pwd|token|auth[_-]?token|access[_-]?token|private[_-]?key)\s*[:=]\s*['"`][^'"`]{8,}['"`]/gi);
+            break;
+        case 'github':
+            results.push(/(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,}/g);
+            break;
+        case 'openai':
+            results.push(/sk-[A-Za-z0-9]{48,}/g);
+            break;
+        case 'aws':
+            results.push(/AKIA[0-9A-Z]{16}/g);
+            break;
+        case 'stripe':
+            results.push(/sk_(?:live|test)_[A-Za-z0-9]{24,}/g);
+            results.push(/pk_(?:live|test)_[A-Za-z0-9]{24,}/g);
+            break;
+        case 'custom':
+            if (config.customPattern) {
+                results.push(new RegExp(config.customPattern, 'g'));
+            }
+            break;
+    }
+    return results;
+}
+// Builder: URL patterns
+export function buildUrlPattern(config) {
+    const results = [];
+    const protocol = config.protocol || 'any';
+    if (protocol === 'http' || protocol === 'any') {
+        if (config.excludeLocalhost) {
+            results.push(/http:\/\/(?!localhost|127\.0\.0\.1)[^\s'"`)]+/g);
+        }
+        else {
+            results.push(/http:\/\/[^\s'"`)]+/g);
+        }
+    }
+    if (protocol === 'https' || protocol === 'any') {
+        results.push(/https:\/\/[^\s'"`)]+/g);
+    }
+    return results;
+}
+// Builder: Suppression comments
+export function buildSuppressionComment(config) {
+    const toolsPattern = config.tools.map(escapeRegex).join('|');
+    return [new RegExp(`\\/\\/\\s*(?:@)?(${toolsPattern})`, 'g')];
+}
+// Builder: Type casts
+export function buildTypeCast(config) {
+    const targetsPattern = config.targets.map(escapeRegex).join('|');
+    return [new RegExp(`as\\s+(${targetsPattern})(?!\\w)`, 'g')];
+}
+// Builder: Comparison
+export function buildComparison(config) {
+    const results = [];
+    for (const op of config.operators) {
+        if (op === '==') {
+            results.push(/[^!=]==[^=]/g);
+        }
+        else if (op === '!=') {
+            results.push(/!=[^=]/g);
+        }
+        else if (op === '===') {
+            results.push(/===/g);
+        }
+        else if (op === '!==') {
+            results.push(/!==/g);
+        }
+    }
+    return results;
+}
+// Builder: Loop patterns
+export function buildLoopPattern(config) {
+    const results = [];
+    switch (config.kind) {
+        case 'for_in':
+            results.push(/for\s*\(\s*(?:var|let|const)\s+\w+\s+in\s+/g);
+            break;
+        case 'while_true':
+            results.push(/while\s*\(\s*true\s*\)/g);
+            break;
+        case 'infinite':
+            results.push(/while\s*\(\s*true\s*\)/g);
+            results.push(/for\s*\(\s*;\s*;\s*\)/g);
+            break;
+    }
+    return results;
+}
+// Builder: Raw regex (escape hatch)
+export function buildRawRegex(config) {
+    return [new RegExp(config.pattern, config.flags || 'g')];
+}
+// Main dispatcher: convert any MatchConfig to RegExp[]
+export function buildPattern(config) {
+    switch (config.type) {
+        case 'empty_block':
+            return buildEmptyBlock(config);
+        case 'function_call':
+            return buildFunctionCall(config);
+        case 'returns_only':
+            return buildReturnsOnly(config);
+        case 'contains_text':
+            return buildContainsText(config);
+        case 'fallback_value':
+            return buildFallbackValue(config);
+        case 'assignment_pattern':
+            return buildAssignmentPattern(config);
+        case 'chained_access':
+            return buildChainedAccess(config);
+        case 'catch_handler':
+            return buildCatchHandler(config);
+        case 'promise_catch':
+            return buildPromiseCatch(config);
+        case 'comment_marker':
+            return buildCommentMarker(config);
+        case 'string_literal':
+            return buildStringLiteral(config);
+        case 'secret_pattern':
+            return buildSecretPattern(config);
+        case 'url_pattern':
+            return buildUrlPattern(config);
+        case 'suppression_comment':
+            return buildSuppressionComment(config);
+        case 'type_cast':
+            return buildTypeCast(config);
+        case 'comparison':
+            return buildComparison(config);
+        case 'loop_pattern':
+            return buildLoopPattern(config);
+        case 'raw_regex':
+            return buildRawRegex(config);
+        default:
+            console.warn(`Unknown match type: ${config.type}`);
+            return [];
+    }
+}

package/build/patterns/compiler.d.ts

@@ -0,0 +1,16 @@
+import { PatternDefinition, CompiledPattern } from './types.js';
+import { Category } from '../types.js';
+export declare function compileDefinition(definition: PatternDefinition): CompiledPattern;
+export declare function compileCategory(definitions: PatternDefinition[]): CompiledPattern[];
+export declare function getCompiledPatterns(category?: Category): CompiledPattern[];
+export declare function clearPatternCache(): void;
+export declare function getDefinitions(category?: Category): PatternDefinition[];
+export declare function validateDefinitions(): {
+    valid: boolean;
+    errors: string[];
+};
+export declare function getPatternStats(): {
+    total: number;
+    byCategory: Record<string, number>;
+    bySeverity: Record<string, number>;
+};

package/build/patterns/compiler.js

@@ -0,0 +1,108 @@
+// Pattern compiler - transforms definitions into executable patterns
+import { buildPattern } from './builders.js';
+import { securityDefinitions, deceptiveDefinitions, placeholderDefinitions, errorDefinitions, } from './definitions/index.js';
+// Cache for compiled patterns
+let compiledCache = null;
+// Compile a single pattern definition
+export function compileDefinition(definition) {
+    const patterns = buildPattern(definition.match);
+    return {
+        id: definition.id,
+        title: definition.title,
+        description: definition.description,
+        severity: definition.severity,
+        category: definition.category,
+        suggestion: definition.suggestion,
+        patterns,
+        verification: definition.verification,
+    };
+}
+// Compile all definitions of a specific category
+export function compileCategory(definitions) {
+    return definitions.map(compileDefinition);
+}
+// Get all compiled patterns, optionally filtered by category
+export function getCompiledPatterns(category) {
+    // Build cache if needed
+    if (!compiledCache) {
+        compiledCache = new Map();
+        compiledCache.set('security', compileCategory(securityDefinitions));
+        compiledCache.set('deceptive', compileCategory(deceptiveDefinitions));
+        compiledCache.set('placeholder', compileCategory(placeholderDefinitions));
+        compiledCache.set('error', compileCategory(errorDefinitions));
+    }
+    if (category) {
+        return compiledCache.get(category) || [];
+    }
+    // Return all patterns
+    const all = [];
+    for (const patterns of compiledCache.values()) {
+        all.push(...patterns);
+    }
+    return all;
+}
+// Clear the cache (useful for testing or hot reload)
+export function clearPatternCache() {
+    compiledCache = null;
+}
+// Get raw definitions (for inspection/debugging)
+export function getDefinitions(category) {
+    const allDefs = {
+        security: securityDefinitions,
+        deceptive: deceptiveDefinitions,
+        placeholder: placeholderDefinitions,
+        error: errorDefinitions,
+        strength: [], // Strengths use a different system
+    };
+    if (category) {
+        return allDefs[category] || [];
+    }
+    return [
+        ...securityDefinitions,
+        ...deceptiveDefinitions,
+        ...placeholderDefinitions,
+        ...errorDefinitions,
+    ];
+}
+// Validate all definitions (for testing)
+export function validateDefinitions() {
+    const errors = [];
+    const allDefs = getDefinitions();
+    const ids = new Set();
+    for (const def of allDefs) {
+        // Check for duplicate IDs
+        if (ids.has(def.id)) {
+            errors.push(`Duplicate pattern ID: ${def.id}`);
+        }
+        ids.add(def.id);
+        // Try to compile and check for errors
+        try {
+            const compiled = compileDefinition(def);
+            if (compiled.patterns.length === 0) {
+                errors.push(`Pattern ${def.id} compiled to zero regex patterns`);
+            }
+        }
+        catch (e) {
+            errors.push(`Pattern ${def.id} failed to compile: ${e instanceof Error ? e.message : String(e)}`);
+        }
+    }
+    return {
+        valid: errors.length === 0,
+        errors,
+    };
+}
+// Stats about patterns
+export function getPatternStats() {
+    const allDefs = getDefinitions();
+    const byCategory = {};
+    const bySeverity = {};
+    for (const def of allDefs) {
+        byCategory[def.category] = (byCategory[def.category] || 0) + 1;
+        bySeverity[def.severity] = (bySeverity[def.severity] || 0) + 1;
+    }
+    return {
+        total: allDefs.length,
+        byCategory,
+        bySeverity,
+    };
+}

package/build/patterns/definitions/deceptive.d.ts

@@ -0,0 +1,2 @@
+import { PatternDefinition } from '../types.js';
+export declare const deceptiveDefinitions: PatternDefinition[];