codeflow-hook 2.1.0 → 2.2.0

package/lib/cli-integration/src/index.ts

@@ -1,14 +1,14 @@
 #!/usr/bin/env node
 
 /**
- * CLI Integration Service - Phase 4
+ * CLI Integration Service
  *
- * Bridges the local CLI commands with EKG backend services.
- * Transforms CLI operations from local processing to backend-driven workflows.
+ * Bridges CLI commands with local git operations.
+ * EKG backend integration (Phase 4) removed — not deployed.
  *
- * Key transformations:
- * - `codeflow index` → EKG Ingestion Service webhook simulation
- * - `codeflow analyze-diff` → EKG Query Service context-enhanced analysis
+ * Key operations:
+ * - `codeflow index` → Submit repository for indexing
+ * - `codeflow analyze-diff` → Local diff parsing only
  */
 
 import axios from 'axios';
@@ -21,9 +21,51 @@ import fs from 'fs';
 // Load environment variables
 config();
 
+// Validate and sanitize environment variables
+const validateEnvironmentVariables = () => {
+  const envVars = {
+    LOG_LEVEL: process.env.LOG_LEVEL || 'info',
+    INGESTION_SERVICE_URL: process.env.INGESTION_SERVICE_URL || 'http://localhost:3000',
+    QUERY_SERVICE_URL: process.env.QUERY_SERVICE_URL || 'http://localhost:4000',
+    REQUEST_TIMEOUT: process.env.REQUEST_TIMEOUT || '30000',
+    REQUEST_RETRIES: process.env.REQUEST_RETRIES || '3'
+  };
+
+  // Validate log level
+  const validLogLevels = ['error', 'warn', 'info', 'debug'];
+  if (!validLogLevels.includes(envVars.LOG_LEVEL)) {
+    throw new Error(`Invalid LOG_LEVEL: ${envVars.LOG_LEVEL}. Must be one of: ${validLogLevels.join(', ')}`);
+  }
+
+  // Validate URLs
+  if (!envVars.INGESTION_SERVICE_URL.startsWith('http://') && !envVars.INGESTION_SERVICE_URL.startsWith('https://')) {
+    throw new Error(`Invalid INGESTION_SERVICE_URL: ${envVars.INGESTION_SERVICE_URL}. Must start with http:// or https://`);
+  }
+
+  if (!envVars.QUERY_SERVICE_URL.startsWith('http://') && !envVars.QUERY_SERVICE_URL.startsWith('https://')) {
+    throw new Error(`Invalid QUERY_SERVICE_URL: ${envVars.QUERY_SERVICE_URL}. Must start with http:// or https://`);
+  }
+
+  // Validate timeout
+  const timeout = parseInt(envVars.REQUEST_TIMEOUT, 10);
+  if (isNaN(timeout) || timeout <= 0 || timeout > 300000) { // Max 5 minutes
+    throw new Error(`Invalid REQUEST_TIMEOUT: ${envVars.REQUEST_TIMEOUT}. Must be between 1 and 300000 milliseconds`);
+  }
+
+  // Validate retries
+  const retries = parseInt(envVars.REQUEST_RETRIES, 10);
+  if (isNaN(retries) || retries <= 0 || retries > 10) {
+    throw new Error(`Invalid REQUEST_RETRIES: ${envVars.REQUEST_RETRIES}. Must be between 1 and 10`);
+  }
+
+  return envVars;
+};
+
+const envVars = validateEnvironmentVariables();
+
 // Configure logger
 const logger = winston.createLogger({
-  level: process.env.LOG_LEVEL || 'info',
+  level: envVars.LOG_LEVEL,
   format: winston.format.combine(
     winston.format.timestamp(),
     winston.format.errors({ stack: true }),
@@ -193,9 +235,8 @@ export class CLIIntegrationService {
   }
 
   /**
-   * Analyze code diff with EKG context enhancement
-   *
-   * Sends diff to Query Service for EKG-enhanced analysis instead of local RAG
+   * Analyze code diff — simplified to local diff parsing only.
+   * EKG backend integration removed (Phase 4 not deployed).
    */
   async analyzeDiff(diffContent: string, options: {
     legacy?: boolean;
@@ -221,22 +262,12 @@ export class CLIIntegrationService {
         };
       }
 
-      if (options.legacy) {
-        // Fallback to local analysis (would integrate with existing agents)
-        logger.warn('Legacy mode requested - falling back to local analysis');
-        return {
-          success: false,
-          analysis: null,
-          message: 'Legacy mode not yet implemented with EKG integration'
-        };
-      }
-
-      logger.info('Analyzing diff with EKG context enhancement', {
+      logger.info('Analyzing diff (local only — EKG backend not deployed)', {
         diffSize: diffContent.length,
         lines: diffContent.split('\n').length
       });
 
-      // Analyze diff and extract context
+      // Parse diff content locally
       const diffAnalysis = this.analyzeDiffContent(diffContent);
 
       if (diffAnalysis.files.length === 0) {
@@ -247,28 +278,30 @@ export class CLIIntegrationService {
         };
       }
 
-      // Query EKG for context on affected files
-      const ekgContext = await this.getEKGContext(diffAnalysis);
-
-      // Generate enhanced analysis with EKG data
-      const enhancedAnalysis = await this.generateEKGEnhancedAnalysis(diffAnalysis, ekgContext);
-
       const analysisTime = Date.now() - startTime;
 
-      logger.info('Diff analysis completed with EKG enhancement', {
+      logger.info('Diff analysis completed', {
         affectedFiles: diffAnalysis.files.length,
-        ekgQueries: ekgContext.queriesMade,
-        similarReposFound: ekgContext.similarRepositories?.length || 0,
         analysisTime
       });
 
       return {
         success: true,
-        analysis: enhancedAnalysis,
-        message: 'Diff analyzed with EKG context enhancement',
+        analysis: {
+          summary: {
+            totalFiles: diffAnalysis.files.length,
+            totalAdditions: diffAnalysis.totalAdditions,
+            totalDeletions: diffAnalysis.totalDeletions,
+            ekgEnhanced: false
+          },
+          files: diffAnalysis.files,
+          issues: [],
+          recommendations: []
+        },
+        message: 'Diff analyzed (local analysis only)',
         stats: {
-          ekg_queries: ekgContext.queriesMade,
-          similar_repos_found: ekgContext.similarRepositories?.length || 0,
+          ekg_queries: 0,
+          similar_repos_found: 0,
           analysis_time: analysisTime
         }
       };
@@ -368,178 +401,6 @@ export class CLIIntegrationService {
     };
   }
 
-  /**
-   * Query EKG for context on affected files
-   */
-  private async getEKGContext(diffAnalysis: any): Promise<{
-    queriesMade: number;
-    repositoryIntelligence?: any;
-    similarRepositories: any[];
-    patterns: any[];
-  }> {
-    let queriesMade = 0;
-
-    try {
-      // Get current repository information
-      const repoInfo = await this.getRepositoryInfo();
-      const repositoryId = this.generateRepositoryId(repoInfo.fullName);
-
-      // Query repository intelligence if repository exists in EKG
-      let repositoryIntelligence = null;
-      try {
-        const response = await this.makeGraphQLRequest(
-          `
-          query GetRepositoryIntelligence($repoId: ID!) {
-            repositoryIntelligence(repositoryId: $repoId) {
-              repository {
-                id name fullName language
-              }
-              patterns {
-                name type confidence category
-              }
-              dependencies {
-                dependencyType currentVersion confidence
-              }
-            }
-          }
-          `,
-          { repoId: repositoryId }
-        );
-        repositoryIntelligence = response.data?.repositoryIntelligence;
-        queriesMade++;
-      } catch (error) {
-        logger.warn('Repository not found in EKG, continuing analysis', { repositoryId });
-      }
-
-      // Find similar repositories and patterns for context
-      let similarRepositories: any[] = [];
-      try {
-        const response = await this.makeGraphQLRequest(
-          `
-          query FindSimilarRepositories($repoId: ID!, $limit: Int) {
-            similarRepositories(repositoryId: $repoId, limit: $limit) {
-              repository { name fullName language }
-              similarityScore reasons
-              sharedPatterns sizeComparison
-            }
-          }
-          `,
-          { repoId: repositoryId, limit: 5 }
-        );
-        similarRepositories = response.data?.similarRepositories || [];
-        queriesMade++;
-      } catch (error) {
-        logger.warn('Could not fetch similar repositories', { error: this.formatError(error) });
-      }
-
-      // Get enterprise-wide patterns that might be relevant
-      let patterns: any[] = [];
-      try {
-        const languages = [...new Set(diffAnalysis.files.map((f: any) => f.language))];
-
-        const response = await this.makeGraphQLRequest(
-          `
-          query GetRelevantPatterns($language: String, $limit: Int) {
-            patterns(language: $language, minConfidence: 0.7, limit: $limit) {
-              name type category confidence observationCount
-            }
-          }
-          `,
-          { language: languages[0], limit: 10 }
-        );
-        patterns = response.data?.patterns || [];
-        queriesMade++;
-      } catch (error) {
-        logger.warn('Could not fetch patterns', { error: this.formatError(error) });
-      }
-
-      return {
-        queriesMade,
-        repositoryIntelligence,
-        similarRepositories,
-        patterns
-      };
-
-    } catch (error) {
-      logger.error('EKG context retrieval failed', { error: this.formatError(error) });
-      return {
-        queriesMade,
-        similarRepositories: [],
-        patterns: []
-      };
-    }
-  }
-
-  /**
-   * Generate enhanced analysis using EKG context
-   */
-  private async generateEKGEnhancedAnalysis(diffAnalysis: any, ekgContext: any): Promise<any> {
-    // Analyze changes with EKG context
-    const issues: any[] = [];
-    const recommendations: any[] = [];
-
-    // Check against existing patterns
-    if (ekgContext.patterns && ekgContext.patterns.length > 0) {
-      for (const file of diffAnalysis.files) {
-        const relevantPatterns = ekgContext.patterns.filter((p: any) =>
-          p.type === 'security' || p.type === 'architecture'
-        );
-
-        if (relevantPatterns.length > 0) {
-          recommendations.push({
-            type: 'ekg_pattern_alignment',
-            description: `File ${file.path} modified - consider these established patterns: ${relevantPatterns.map((p: any) => p.name).join(', ')}`,
-            severity: 'info',
-            file: file.path
-          });
-        }
-      }
-    }
-
-    // Compare against similar repositories
-    if (ekgContext.similarRepositories && ekgContext.similarRepositories.length > 0) {
-      const similarRepoNames = ekgContext.similarRepositories.map((sr: any) => sr.repository.fullName);
-      recommendations.push({
-        type: 'similar_repositories',
-        description: `Changes similar to patterns seen in: ${similarRepoNames.slice(0, 3).join(', ')}`,
-        severity: 'info'
-      });
-    }
-
-    // Add repository-specific context if available
-    if (ekgContext.repositoryIntelligence) {
-      const repo = ekgContext.repositoryIntelligence.repository;
-      issues.push({
-        type: 'repository_context',
-        description: `Analyzing changes in repository ${repo.fullName} (${repo.language})`,
-        severity: 'info'
-      });
-    }
-
-    return {
-      summary: {
-        totalFiles: diffAnalysis.files.length,
-        totalAdditions: diffAnalysis.totalAdditions,
-        totalDeletions: diffAnalysis.totalDeletions,
-        ekgEnhanced: true
-      },
-      files: diffAnalysis.files.map((file: any) => ({
-        path: file.path,
-        language: file.language,
-        additions: file.additions,
-        deletions: file.deletions,
-        isNew: file.isNew
-      })),
-      issues,
-      recommendations,
-      ekg_context: {
-        patterns_analyzed: ekgContext.patterns?.length || 0,
-        similar_repositories_found: ekgContext.similarRepositories?.length || 0,
-        repository_known: !!ekgContext.repositoryIntelligence
-      }
-    };
-  }
-
   /**
    * Get current repository information
    */
@@ -636,7 +497,7 @@ export class CLIIntegrationService {
   }
 
   /**
-   * Make HTTP request to backend service with retry logic
+   * Make HTTP request to backend service with retry logic and security validation
    */
   private async makeBackendRequest(
     url: string,
@@ -645,21 +506,32 @@ export class CLIIntegrationService {
   ): Promise<any> {
     let lastError: any;
 
+    // Validate URL to prevent SSRF attacks
+    if (!this.isValidUrl(url)) {
+      throw new Error('Invalid URL provided');
+    }
+
+    // Sanitize headers to prevent header injection
+    const sanitizedHeaders = this.sanitizeHeaders(headers);
+
     for (let attempt = 1; attempt <= this.config.retries; attempt++) {
       try {
         const response = await axios.post(url, data, {
           headers: {
-            ...headers,
-            'X-Attempt': attempt.toString()
+            ...sanitizedHeaders,
+            'X-Attempt': attempt.toString(),
+            'User-Agent': 'Codeflow-CLI-Integration/1.0'
           },
-          timeout: this.config.timeout
+          timeout: this.config.timeout,
+          maxRedirects: 3,
+          validateStatus: (status) => status < 500 // Don't throw on 4xx errors
         });
 
         return response;
       } catch (error) {
         lastError = error;
         logger.warn(`Backend request attempt ${attempt} failed`, {
-          url,
+          url: this.sanitizeUrlForLogging(url),
           attempt,
           error: this.formatError(error)
         });
@@ -675,18 +547,59 @@ export class CLIIntegrationService {
   }
 
   /**
-   * Make GraphQL request to Query Service
+   * Validate URL to prevent SSRF attacks
+   */
+  private isValidUrl(url: string): boolean {
+    try {
+      const urlObj = new URL(url);
+      
+      // Block internal network ranges
+      const hostname = urlObj.hostname;
+      if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname.startsWith('10.') || 
+          hostname.startsWith('192.168.') || hostname.match(/^172\.(1[6-9]|2\d|3[01])\./)) {
+        return false;
+      }
+
+      // Only allow HTTP/HTTPS protocols
+      return urlObj.protocol === 'http:' || urlObj.protocol === 'https:';
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Sanitize headers to prevent header injection
+   */
+  private sanitizeHeaders(headers: Record<string, string>): Record<string, string> {
+    const sanitized: Record<string, string> = {};
+    
+    for (const [key, value] of Object.entries(headers)) {
+      // Remove potentially dangerous headers
+      if (key.toLowerCase().includes('cookie') || key.toLowerCase().includes('authorization')) {
+        continue;
+      }
+      
+      // Sanitize header values
+      sanitized[key] = value.replace(/[^\x20-\x7E]/g, '');
+    }
+    
+    return sanitized;
+  }
+
+  /**
+   * Sanitize URL for logging to prevent log injection
    */
-  private async makeGraphQLRequest(query: string, variables: any = {}): Promise<any> {
-    return this.makeBackendRequest(
-      `${this.config.queryServiceUrl}/graphql`,
-      { query, variables },
-      { 'Content-Type': 'application/json' }
-    );
+  private sanitizeUrlForLogging(url: string): string {
+    try {
+      const urlObj = new URL(url);
+      return `${urlObj.protocol}//${urlObj.hostname}${urlObj.pathname}`;
+    } catch {
+      return url.replace(/[\r\n]/g, '');
+    }
   }
 
   /**
-   * Generate repository ID (similar to ingestion service)
+   * Generate repository ID
    */
   private generateRepositoryId(fullName: string): string {
     return `${fullName.replace('/', '-')}-${Date.now().toString(36)}`;

package/lib/cli-integration/src/simulationEngine.ts

@@ -26,6 +26,10 @@ export class SimulationEngine {
     const executionId = this.generateExecutionId();
     const startTime = Date.now();
 
+    // Validate configuration before execution
+    this.validatePipelineConfig(config);
+    this.validateEnvironmentVariables();
+
     this.context = {
       pipelineId: config.id,
       executionId,
@@ -105,6 +109,103 @@ export class SimulationEngine {
     }
   }
 
+  /**
+   * Validate environment variables for security
+   */
+  private validateEnvironmentVariables(): void {
+    // Validate environment variables that might affect simulation
+    const envVars = {
+      NODE_ENV: process.env.NODE_ENV || 'development',
+      LOG_LEVEL: process.env.LOG_LEVEL || 'info',
+      SIMULATION_TIMEOUT: process.env.SIMULATION_TIMEOUT || '300000', // 5 minutes default
+      MAX_CONCURRENCY: process.env.MAX_CONCURRENCY || '5'
+    };
+
+    // Validate NODE_ENV
+    const validNodeEnvs = ['development', 'test', 'production'];
+    if (!validNodeEnvs.includes(envVars.NODE_ENV)) {
+      throw new Error(`Invalid NODE_ENV: ${envVars.NODE_ENV}. Must be one of: ${validNodeEnvs.join(', ')}`);
+    }
+
+    // Validate LOG_LEVEL
+    const validLogLevels = ['error', 'warn', 'info', 'debug'];
+    if (!validLogLevels.includes(envVars.LOG_LEVEL)) {
+      throw new Error(`Invalid LOG_LEVEL: ${envVars.LOG_LEVEL}. Must be one of: ${validLogLevels.join(', ')}`);
+    }
+
+    // Validate simulation timeout
+    const timeout = parseInt(envVars.SIMULATION_TIMEOUT, 10);
+    if (isNaN(timeout) || timeout <= 0 || timeout > 3600000) { // Max 1 hour
+      throw new Error(`Invalid SIMULATION_TIMEOUT: ${envVars.SIMULATION_TIMEOUT}. Must be between 1 and 3600000 milliseconds`);
+    }
+
+    // Validate max concurrency
+    const concurrency = parseInt(envVars.MAX_CONCURRENCY, 10);
+    if (isNaN(concurrency) || concurrency <= 0 || concurrency > 20) {
+      throw new Error(`Invalid MAX_CONCURRENCY: ${envVars.MAX_CONCURRENCY}. Must be between 1 and 20`);
+    }
+  }
+
+  /**
+   * Validate pipeline configuration for security and correctness
+   */
+  private validatePipelineConfig(config: PipelineConfig): void {
+    // Validate pipeline ID format
+    if (!config.id || !/^[a-z0-9-]+$/.test(config.id)) {
+      throw new Error('Invalid pipeline ID format - must contain only lowercase letters, numbers, and hyphens');
+    }
+
+    // Validate stage configurations
+    if (!config.stages || config.stages.length === 0) {
+      throw new Error('Pipeline must contain at least one stage');
+    }
+
+    // Validate each stage
+    const stageIds = new Set<string>();
+    for (const stage of config.stages) {
+      // Check for duplicate stage IDs
+      if (stageIds.has(stage.id)) {
+        throw new Error(`Duplicate stage ID found: ${stage.id}`);
+      }
+      stageIds.add(stage.id);
+
+      // Validate stage ID format
+      if (!/^[a-z0-9-]+$/.test(stage.id)) {
+        throw new Error(`Invalid stage ID format: ${stage.id}`);
+      }
+
+      // Validate dependencies don't create cycles (basic check)
+      if (stage.dependencies.includes(stage.id)) {
+        throw new Error(`Stage ${stage.id} cannot depend on itself`);
+      }
+
+      // Validate timeout values
+      if (stage.timeout <= 0 || stage.timeout > 7200000) { // Max 2 hours
+        throw new Error(`Invalid timeout for stage ${stage.id}: must be between 1ms and 2 hours`);
+      }
+
+      // Validate success rate
+      if (stage.successRate < 0 || stage.successRate > 1) {
+        throw new Error(`Invalid success rate for stage ${stage.id}: must be between 0 and 1`);
+      }
+
+      // Validate duration range
+      if (stage.durationRange.min <= 0 || stage.durationRange.max <= 0 || 
+          stage.durationRange.min > stage.durationRange.max) {
+        throw new Error(`Invalid duration range for stage ${stage.id}`);
+      }
+    }
+
+    // Validate pipeline settings
+    if (config.settings.maxConcurrency <= 0 || config.settings.maxConcurrency > 10) {
+      throw new Error('Invalid maxConcurrency setting: must be between 1 and 10');
+    }
+
+    if (config.settings.timeout <= 0 || config.settings.timeout > 86400000) { // Max 24 hours
+      throw new Error('Invalid pipeline timeout: must be between 1ms and 24 hours');
+    }
+  }
+
   /**
    * Execute stages respecting dependencies and concurrency limits
    */
@@ -381,18 +482,23 @@ export class SimulationEngine {
   ): { success: boolean; logs: string[]; metrics: StageMetrics; errors?: ErrorInfo[] } {
     const logs: string[] = [];
 
-    logs.push(`[${new Date().toISOString()}] 🐳 Building Docker image \`${stageConfig.config.imageName || 'app:latest'}\``);
-    logs.push(`[${new Date().toISOString()}] 📦 Step 1/8 : FROM ${stageConfig.config.baseImage || 'node:18-alpine'}`);
+    // Sanitize input to prevent command injection
+    const imageName = this.sanitizeInput(stageConfig.config.imageName || 'app:latest');
+    const baseImage = this.sanitizeInput(stageConfig.config.baseImage || 'node:18-alpine');
+
+    logs.push(`[${new Date().toISOString()}] 🐳 Building Docker image \`${imageName}\``);
+    logs.push(`[${new Date().toISOString()}] 📦 Step 1/8 : FROM ${baseImage}`);
 
     if (success) {
       logs.push(`[${new Date().toISOString()}] 📦 Step 8/8 : CMD ["npm", "start"]`);
       logs.push(`[${new Date().toISOString()}] ✅ Successfully built ${stageConfig.config.imageId || 'a1b2c3d4e5f6'}`);
       logs.push(`[${new Date().toISOString()}] 🔍 Image size: ${50 + Math.random() * 200}MB`);
 
-      // Create artifact
+      // Create artifact with sanitized data
       if (this.context) {
+        const sanitizedImageName = this.sanitizeInput(stageConfig.config.imageName || 'app');
         this.context.artifacts.set(`${stageConfig.id}-image`, {
-          name: `${stageConfig.config.imageName || 'app'}.tar.gz`,
+          name: `${sanitizedImageName}.tar.gz`,
           type: 'docker-image',
           size: Math.round(50 + Math.random() * 200) * 1024 * 1024,
           path: `/artifacts/${stageConfig.id}`,
@@ -406,6 +512,14 @@ export class SimulationEngine {
     return { success, logs, metrics };
   }
 
+  /**
+   * Sanitize input to prevent injection attacks
+   */
+  private sanitizeInput(input: string): string {
+    // Remove potentially dangerous characters
+    return input.replace(/[^\w\-\.\/:]/g, '');
+  }
+
   /**
    * Simulate unit test stage
    */

package/package.json

@@ -1,8 +1,8 @@
 
 {
   "name": "codeflow-hook",
-  "version": "2.1.0",
-  "description": "An interactive CI/CD simulator and lightweight pre-push code reviewer using Gemini AI",
+  "version": "2.2.0",
+  "description": "Local AI-powered code analysis and pre-push review for development workflows",
   "type": "module",
   "main": "index.js",
   "bin": {