codegate-ai 0.1.0

package/dist/layer4-remediation/backup-manager.js

@@ -0,0 +1,138 @@
+import { createHash, randomBytes } from "node:crypto";
+import { existsSync, mkdirSync, readFileSync, readdirSync, rmSync, statSync, writeFileSync, } from "node:fs";
+import { dirname, isAbsolute, join, resolve } from "node:path";
+function isIgnorableBackupReadError(error) {
+    const code = error?.code;
+    return code === "ENOENT" || code === "ENOTDIR" || code === "EISDIR";
+}
+function readBackupSourceFile(sourcePath) {
+    try {
+        return readFileSync(sourcePath, "utf8");
+    }
+    catch (error) {
+        if (isIgnorableBackupReadError(error)) {
+            return null;
+        }
+        throw error;
+    }
+}
+function safeRelativePath(filePath) {
+    if (isAbsolute(filePath)) {
+        throw new Error(`Backup path must be relative: ${filePath}`);
+    }
+    if (filePath.includes("..")) {
+        throw new Error(`Backup path traversal is not allowed: ${filePath}`);
+    }
+    return filePath;
+}
+function hashContent(content) {
+    return createHash("sha256").update(content).digest("hex");
+}
+function ensureParentDirectory(path) {
+    mkdirSync(dirname(path), { recursive: true });
+}
+function backupRoot(projectRoot) {
+    return resolve(projectRoot, ".codegate-backup");
+}
+function sessionIdFromNow() {
+    const stamp = new Date().toISOString().replaceAll(":", "-").replaceAll(".", "-");
+    const nonce = randomBytes(3).toString("hex");
+    return `${stamp}-${nonce}`;
+}
+function manifestForSession(sessionDir) {
+    return join(sessionDir, ".manifest.json");
+}
+export function createBackupSession(input) {
+    const sessionId = sessionIdFromNow();
+    const root = backupRoot(input.projectRoot);
+    const sessionDir = join(root, sessionId);
+    mkdirSync(sessionDir, { recursive: true });
+    const entries = [];
+    for (const filePath of input.filePaths) {
+        const relativePath = safeRelativePath(filePath);
+        const sourcePath = resolve(input.projectRoot, relativePath);
+        const content = readBackupSourceFile(sourcePath);
+        if (content === null) {
+            continue;
+        }
+        const destinationPath = resolve(sessionDir, relativePath);
+        ensureParentDirectory(destinationPath);
+        writeFileSync(destinationPath, content, "utf8");
+        entries.push({
+            path: relativePath,
+            sha256: hashContent(content),
+            size: Buffer.byteLength(content, "utf8"),
+        });
+    }
+    const manifest = {
+        codegate_version: input.version,
+        created_at: new Date().toISOString(),
+        files: entries,
+    };
+    const manifestPath = manifestForSession(sessionDir);
+    writeFileSync(manifestPath, JSON.stringify(manifest, null, 2), "utf8");
+    return {
+        sessionId,
+        sessionDir,
+        manifestPath,
+        manifest,
+    };
+}
+export function listBackupSessions(projectRoot) {
+    const root = backupRoot(projectRoot);
+    if (!existsSync(root)) {
+        return [];
+    }
+    return readdirSync(root)
+        .filter((entry) => entry !== "quarantine")
+        .filter((entry) => {
+        const fullPath = join(root, entry);
+        return statSync(fullPath).isDirectory();
+    })
+        .sort()
+        .reverse();
+}
+function readManifest(projectRoot, sessionId) {
+    const sessionDir = join(backupRoot(projectRoot), sessionId);
+    const manifestPath = manifestForSession(sessionDir);
+    if (!existsSync(manifestPath)) {
+        throw new Error(`Backup manifest missing for session ${sessionId}`);
+    }
+    const raw = readFileSync(manifestPath, "utf8");
+    const parsed = JSON.parse(raw);
+    if (!parsed || typeof parsed !== "object") {
+        throw new Error(`Invalid backup manifest for session ${sessionId}`);
+    }
+    const manifest = parsed;
+    if (!Array.isArray(manifest.files)) {
+        throw new Error(`Invalid backup manifest for session ${sessionId}`);
+    }
+    return manifest;
+}
+export function restoreBackupSession(input) {
+    const sessionDir = join(backupRoot(input.projectRoot), input.sessionId);
+    const manifest = readManifest(input.projectRoot, input.sessionId);
+    for (const entry of manifest.files) {
+        const backupPath = resolve(sessionDir, safeRelativePath(entry.path));
+        if (!existsSync(backupPath)) {
+            throw new Error(`Backup file missing: ${entry.path}`);
+        }
+        const content = readFileSync(backupPath, "utf8");
+        const actualHash = hashContent(content);
+        if (actualHash !== entry.sha256) {
+            throw new Error(`Backup manifest hash mismatch for ${entry.path}`);
+        }
+    }
+    for (const entry of manifest.files) {
+        const backupPath = resolve(sessionDir, safeRelativePath(entry.path));
+        const targetPath = resolve(input.projectRoot, safeRelativePath(entry.path));
+        const content = readFileSync(backupPath, "utf8");
+        ensureParentDirectory(targetPath);
+        writeFileSync(targetPath, content, "utf8");
+    }
+    rmSync(sessionDir, { recursive: true, force: true });
+    return {
+        restoredFiles: manifest.files.length,
+        sessionId: input.sessionId,
+    };
+}

package/dist/layer4-remediation/diff-generator.d.ts

@@ -0,0 +1,6 @@
+export interface DiffInput {
+    filePath: string;
+    before: string;
+    after: string;
+}
+export declare function generateUnifiedDiff(input: DiffInput): string;

package/dist/layer4-remediation/diff-generator.js

@@ -0,0 +1,29 @@
+export function generateUnifiedDiff(input) {
+    if (input.before === input.after) {
+        return "";
+    }
+    const beforeLines = input.before.split("\n");
+    const afterLines = input.after.split("\n");
+    const maxLines = Math.max(beforeLines.length, afterLines.length);
+    const lines = [];
+    lines.push(`--- a/${input.filePath}`);
+    lines.push(`+++ b/${input.filePath}`);
+    lines.push("@@");
+    for (let index = 0; index < maxLines; index += 1) {
+        const beforeLine = beforeLines[index];
+        const afterLine = afterLines[index];
+        if (beforeLine === afterLine) {
+            if (beforeLine !== undefined) {
+                lines.push(` ${beforeLine}`);
+            }
+            continue;
+        }
+        if (beforeLine !== undefined) {
+            lines.push(`-${beforeLine}`);
+        }
+        if (afterLine !== undefined) {
+            lines.push(`+${afterLine}`);
+        }
+    }
+    return lines.join("\n");
+}

package/dist/layer4-remediation/remediation-runner.d.ts

@@ -0,0 +1,36 @@
+import { type CodeGateConfig } from "../config.js";
+import type { CodeGateReport } from "../types/report.js";
+import { type RemediationPlanItem } from "./remediator.js";
+export interface RemediationFlags {
+    remediate?: boolean;
+    fixSafe?: boolean;
+    dryRun?: boolean;
+    patch?: boolean;
+    output?: string;
+}
+export interface RemediationRunnerInput {
+    scanTarget: string;
+    report: CodeGateReport;
+    config: CodeGateConfig;
+    flags: RemediationFlags;
+    isTTY: boolean;
+}
+export interface RemediationRunnerResult {
+    report: CodeGateReport;
+    plannedCount: number;
+    appliedCount: number;
+    plannedActions?: Array<{
+        findingId: string;
+        filePath: string;
+        action: RemediationPlanItem["action"]["type"];
+    }>;
+    appliedActions?: Array<{
+        findingId: string;
+        filePath: string;
+        action: RemediationPlanItem["action"]["type"];
+    }>;
+    backupSessionId?: string;
+    patchContent?: string;
+    patchPath?: string;
+}
+export declare function runRemediation(input: RemediationRunnerInput): RemediationRunnerResult;

package/dist/layer4-remediation/remediation-runner.js

@@ -0,0 +1,230 @@
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { resolve } from "node:path";
+import { applyConfigPolicy } from "../config.js";
+import { createBackupSession } from "./backup-manager.js";
+import { generateUnifiedDiff } from "./diff-generator.js";
+import { applyRemediationAction, planRemediation, } from "./remediator.js";
+function inferFormat(filePath) {
+    if (filePath.endsWith(".json")) {
+        return "json";
+    }
+    if (filePath.endsWith(".jsonc")) {
+        return "jsonc";
+    }
+    if (filePath.endsWith(".toml")) {
+        return "toml";
+    }
+    if (filePath.endsWith(".yaml") || filePath.endsWith(".yml")) {
+        return "yaml";
+    }
+    if (filePath.endsWith(".env")) {
+        return "dotenv";
+    }
+    if (filePath.endsWith(".md") || filePath.endsWith(".mdc")) {
+        return "markdown";
+    }
+    return "text";
+}
+function loadRemediationFiles(scanTarget, report) {
+    const uniquePaths = Array.from(new Set(report.findings.flatMap((finding) => {
+        const paths = [finding.file_path];
+        if (finding.source_config?.file_path) {
+            paths.push(finding.source_config.file_path);
+        }
+        return paths;
+    })));
+    const files = [];
+    for (const relativePath of uniquePaths) {
+        const absolutePath = resolve(scanTarget, relativePath);
+        if (!existsSync(absolutePath)) {
+            continue;
+        }
+        files.push({
+            path: relativePath,
+            format: inferFormat(relativePath),
+            content: readFileSync(absolutePath, "utf8"),
+        });
+    }
+    return files;
+}
+function isSafeCriticalPlan(plan, report) {
+    const finding = report.findings.find((item) => item.finding_id === plan.findingId);
+    if (!finding || finding.severity !== "CRITICAL") {
+        return false;
+    }
+    return plan.action.type === "remove_field" || plan.action.type === "replace_value";
+}
+function choosePlans(input, plans) {
+    if (input.flags.fixSafe) {
+        return plans.filter((plan) => isSafeCriticalPlan(plan, input.report));
+    }
+    return plans;
+}
+function toPatchContent(plans) {
+    return plans
+        .map((plan) => plan.diff)
+        .filter((diff) => diff.length > 0)
+        .join("\n\n");
+}
+function toActionSummaries(plans) {
+    return plans.map((plan) => ({
+        findingId: plan.findingId,
+        filePath: plan.filePath,
+        action: plan.action.type,
+    }));
+}
+function findingById(report) {
+    return new Map(report.findings.map((finding) => [finding.finding_id, finding]));
+}
+function composeRemediationPlans(report, files, selectedPlans) {
+    const filesByPath = new Map(files.map((file) => [file.path, file]));
+    const findings = findingById(report);
+    const plansByFile = new Map();
+    for (const plan of selectedPlans) {
+        const grouped = plansByFile.get(plan.filePath);
+        if (grouped) {
+            grouped.push(plan);
+            continue;
+        }
+        plansByFile.set(plan.filePath, [plan]);
+    }
+    const composedPlans = [];
+    for (const [filePath, plans] of plansByFile.entries()) {
+        const file = filesByPath.get(filePath);
+        if (!file) {
+            continue;
+        }
+        const quarantinePlan = plans.find((plan) => plan.action.type === "quarantine");
+        if (quarantinePlan) {
+            const finding = findings.get(quarantinePlan.findingId);
+            if (!finding) {
+                continue;
+            }
+            const result = applyRemediationAction(quarantinePlan.action, file, finding);
+            if (!result.changed) {
+                continue;
+            }
+            composedPlans.push(...plans.map((plan) => ({
+                findingId: plan.findingId,
+                filePath,
+                action: { type: "quarantine" },
+                originalContent: file.content,
+                updatedContent: result.updatedContent,
+                diff: generateUnifiedDiff({
+                    filePath,
+                    before: file.content,
+                    after: result.updatedContent,
+                }),
+            })));
+            continue;
+        }
+        let workingFile = { ...file };
+        const appliedPlans = [];
+        const structuredPlans = plans.filter((plan) => plan.action.type === "remove_field" || plan.action.type === "replace_value");
+        const textPlans = plans.filter((plan) => plan.action.type === "strip_unicode");
+        for (const plan of [...structuredPlans, ...textPlans]) {
+            const finding = findings.get(plan.findingId);
+            if (!finding) {
+                continue;
+            }
+            const result = applyRemediationAction(plan.action, workingFile, finding);
+            if (!result.changed) {
+                continue;
+            }
+            const before = workingFile.content;
+            workingFile = {
+                ...workingFile,
+                content: result.updatedContent,
+            };
+            appliedPlans.push({
+                findingId: plan.findingId,
+                filePath,
+                action: plan.action,
+                originalContent: before,
+                updatedContent: result.updatedContent,
+                diff: generateUnifiedDiff({
+                    filePath,
+                    before,
+                    after: result.updatedContent,
+                }),
+            });
+        }
+        composedPlans.push(...appliedPlans);
+    }
+    return composedPlans;
+}
+export function runRemediation(input) {
+    const remediationEnabled = input.flags.remediate || input.flags.fixSafe || input.flags.patch || input.flags.dryRun;
+    if (!remediationEnabled) {
+        return {
+            report: input.report,
+            plannedCount: 0,
+            appliedCount: 0,
+        };
+    }
+    const files = loadRemediationFiles(input.scanTarget, input.report);
+    const plans = planRemediation({
+        findings: input.report.findings,
+        files,
+    });
+    const selectedPlans = choosePlans(input, plans);
+    const composedPlans = composeRemediationPlans(input.report, files, selectedPlans);
+    const patchContent = toPatchContent(composedPlans);
+    let patchPath;
+    if (input.flags.patch) {
+        if (input.flags.output) {
+            patchPath = resolve(input.scanTarget, input.flags.output);
+            writeFileSync(patchPath, patchContent, "utf8");
+        }
+        else if (input.isTTY) {
+            patchPath = resolve(input.scanTarget, "codegate-fixes.patch");
+            writeFileSync(patchPath, patchContent, "utf8");
+        }
+    }
+    if (input.flags.dryRun || (!input.flags.remediate && !input.flags.fixSafe)) {
+        return {
+            report: input.report,
+            plannedCount: composedPlans.length,
+            appliedCount: 0,
+            plannedActions: toActionSummaries(composedPlans),
+            appliedActions: [],
+            patchContent: input.flags.patch && !input.flags.output && !input.isTTY ? patchContent : undefined,
+            patchPath,
+        };
+    }
+    const filePlans = new Map();
+    for (const plan of composedPlans) {
+        if (!filePlans.has(plan.filePath)) {
+            filePlans.set(plan.filePath, plan);
+            continue;
+        }
+        filePlans.set(plan.filePath, {
+            ...plan,
+            originalContent: filePlans.get(plan.filePath)?.originalContent ?? plan.originalContent,
+        });
+    }
+    const session = createBackupSession({
+        projectRoot: input.scanTarget,
+        version: input.report.version,
+        filePaths: Array.from(filePlans.keys()),
+    });
+    for (const plan of filePlans.values()) {
+        writeFileSync(resolve(input.scanTarget, plan.filePath), plan.updatedContent, "utf8");
+    }
+    const appliedFindings = new Set(composedPlans.map((plan) => plan.findingId));
+    const remainingFindings = input.report.findings.filter((finding) => !appliedFindings.has(finding.finding_id));
+    const report = applyConfigPolicy({
+        ...input.report,
+        findings: remainingFindings,
+    }, input.config);
+    return {
+        report,
+        plannedCount: composedPlans.length,
+        appliedCount: composedPlans.length,
+        plannedActions: toActionSummaries(composedPlans),
+        appliedActions: toActionSummaries(composedPlans),
+        backupSessionId: session.sessionId,
+        patchContent: input.flags.patch && !input.flags.output && !input.isTTY ? patchContent : undefined,
+        patchPath,
+    };
+}

package/dist/layer4-remediation/remediator.d.ts

@@ -0,0 +1,36 @@
+import type { DiscoveryFormat } from "../types/discovery.js";
+import type { Finding } from "../types/finding.js";
+export interface RemediationFile {
+    path: string;
+    format: DiscoveryFormat;
+    content: string;
+}
+export type RemediationAction = {
+    type: "remove_field";
+    fieldPath: string;
+} | {
+    type: "replace_value";
+    fieldPath: string;
+    value: unknown;
+} | {
+    type: "strip_unicode";
+} | {
+    type: "quarantine";
+};
+export interface RemediationPlanItem {
+    findingId: string;
+    filePath: string;
+    action: RemediationAction;
+    originalContent: string;
+    updatedContent: string;
+    diff: string;
+}
+export interface RemediationPlanInput {
+    findings: Finding[];
+    files: RemediationFile[];
+}
+export declare function applyRemediationAction(action: RemediationAction, file: RemediationFile, finding: Finding): {
+    updatedContent: string;
+    changed: boolean;
+};
+export declare function planRemediation(input: RemediationPlanInput): RemediationPlanItem[];

package/dist/layer4-remediation/remediator.js

@@ -0,0 +1,117 @@
+import { parse as parseJsonc } from "jsonc-parser";
+import { generateUnifiedDiff } from "./diff-generator.js";
+import { buildQuarantinePlaceholder } from "./actions/quarantine.js";
+import { removeField } from "./actions/remove-field.js";
+import { replaceValue } from "./actions/replace-value.js";
+import { stripInvisibleUnicode } from "./actions/strip-unicode.js";
+function parseStructuredContent(format, content) {
+    if (format === "json") {
+        return JSON.parse(content);
+    }
+    if (format === "jsonc") {
+        return parseJsonc(content);
+    }
+    return null;
+}
+function serializeStructuredContent(format, value) {
+    if (format === "json" || format === "jsonc") {
+        return `${JSON.stringify(value, null, 2)}\n`;
+    }
+    return String(value ?? "");
+}
+function chooseAction(finding, fieldPath) {
+    if (finding.category === "ENV_OVERRIDE" && fieldPath) {
+        return { type: "remove_field", fieldPath };
+    }
+    if (finding.category === "CONSENT_BYPASS" && fieldPath) {
+        if (fieldPath === "enableAllProjectMcpServers") {
+            return {
+                type: "replace_value",
+                fieldPath,
+                value: false,
+            };
+        }
+        return { type: "remove_field", fieldPath };
+    }
+    if (finding.category === "RULE_INJECTION") {
+        return { type: "strip_unicode" };
+    }
+    if (finding.category === "COMMAND_EXEC" ||
+        finding.category === "SYMLINK_ESCAPE" ||
+        finding.category === "GIT_HOOK") {
+        return { type: "quarantine" };
+    }
+    return null;
+}
+export function applyRemediationAction(action, file, finding) {
+    if (action.type === "strip_unicode") {
+        const stripped = stripInvisibleUnicode(file.content);
+        return {
+            updatedContent: stripped.content,
+            changed: stripped.changed,
+        };
+    }
+    if (action.type === "quarantine") {
+        return {
+            updatedContent: buildQuarantinePlaceholder(file.path, finding.description, ".codegate-backup/quarantine"),
+            changed: true,
+        };
+    }
+    const parsed = parseStructuredContent(file.format, file.content);
+    if (parsed === null) {
+        return { updatedContent: file.content, changed: false };
+    }
+    if (action.type === "remove_field") {
+        const result = removeField(parsed, action.fieldPath);
+        return {
+            updatedContent: result.changed
+                ? serializeStructuredContent(file.format, result.value)
+                : file.content,
+            changed: result.changed,
+        };
+    }
+    const result = replaceValue(parsed, action.fieldPath, action.value);
+    return {
+        updatedContent: result.changed
+            ? serializeStructuredContent(file.format, result.value)
+            : file.content,
+        changed: result.changed,
+    };
+}
+export function planRemediation(input) {
+    const filesByPath = new Map(input.files.map((file) => [file.path, file]));
+    const plan = [];
+    for (const finding of input.findings) {
+        if (!finding.fixable || finding.suppressed) {
+            continue;
+        }
+        const targetPath = finding.source_config?.file_path ?? finding.file_path;
+        const fieldPath = finding.source_config?.field ?? finding.location.field;
+        const file = filesByPath.get(targetPath);
+        if (!file) {
+            continue;
+        }
+        const action = chooseAction(finding, fieldPath);
+        if (!action) {
+            continue;
+        }
+        const result = applyRemediationAction(action, file, finding);
+        if (!result.changed) {
+            continue;
+        }
+        const diff = generateUnifiedDiff({
+            filePath: file.path,
+            before: file.content,
+            after: result.updatedContent,
+        });
+        plan.push({
+            findingId: finding.finding_id,
+            filePath: file.path,
+            action,
+            originalContent: file.content,
+            updatedContent: result.updatedContent,
+            diff,
+        });
+    }
+    return plan;
+}

package/dist/path-display.d.ts

@@ -0,0 +1 @@
+export declare function toAbsoluteDisplayPath(scanTarget: string, filePath: string): string;

package/dist/path-display.js

@@ -0,0 +1,20 @@
+import { isAbsolute, resolve } from "node:path";
+const URI_LIKE_PATTERN = /^[a-z][a-z0-9+.-]*:/iu;
+export function toAbsoluteDisplayPath(scanTarget, filePath) {
+    if (filePath.length === 0) {
+        return filePath;
+    }
+    if (isAbsolute(filePath)) {
+        return filePath;
+    }
+    if (filePath === "~" || filePath.startsWith("~/")) {
+        return filePath;
+    }
+    if (!isAbsolute(scanTarget)) {
+        return filePath;
+    }
+    if (URI_LIKE_PATTERN.test(filePath)) {
+        return filePath;
+    }
+    return resolve(scanTarget, filePath);
+}

package/dist/pipeline.d.ts

@@ -0,0 +1,34 @@
+import { type StaticEngineConfig, type StaticFileInput } from "./layer2-static/engine.js";
+import { type CodeGateReport } from "./types/report.js";
+import type { GitHookEntry } from "./layer2-static/detectors/git-hooks.js";
+import type { SymlinkEscapeEntry } from "./layer2-static/detectors/symlink.js";
+import type { ResourceFetchResult, ResourceRequest } from "./layer3-dynamic/resource-fetcher.js";
+import type { Finding } from "./types/finding.js";
+export interface StaticPipelineInput {
+    version: string;
+    kbVersion: string;
+    scanTarget: string;
+    toolsDetected: string[];
+    projectRoot: string;
+    files: StaticFileInput[];
+    symlinkEscapes: SymlinkEscapeEntry[];
+    hooks: GitHookEntry[];
+    config: StaticEngineConfig;
+}
+export interface DeepScanResource {
+    id: string;
+    request: ResourceRequest;
+    commandPreview: string;
+}
+export interface DeepScanOutcome {
+    resourceId: string;
+    approved: boolean;
+    status: "skipped_without_consent" | "ok" | "auth_failure" | "timeout" | "network_error" | "command_error";
+    result?: ResourceFetchResult;
+}
+export declare function runStaticPipeline(input: StaticPipelineInput): CodeGateReport;
+export declare function layer3OutcomesToFindings(outcomes: DeepScanOutcome[], options?: {
+    unicodeAnalysis?: boolean;
+}): Finding[];
+export declare function mergeLayer3Findings(baseReport: CodeGateReport, layer3Findings: Finding[]): CodeGateReport;
+export declare function runDeepScanWithConsent(resources: DeepScanResource[], requestConsent: (resource: DeepScanResource) => Promise<boolean> | boolean, execute: (resource: DeepScanResource) => Promise<ResourceFetchResult>): Promise<DeepScanOutcome[]>;