codegate-ai 0.1.0

package/dist/tui/views/progress.js

@@ -0,0 +1,6 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { Box, Text } from "ink";
+import { defaultTheme } from "../theme.js";
+export function ProgressView(props) {
+    return (_jsxs(Box, { flexDirection: "column", borderStyle: "round", paddingX: 1, children: [_jsx(Text, { color: defaultTheme.title, children: "Progress" }), _jsx(Text, { children: props.progressMessage ?? "Scanning..." })] }));
+}

package/dist/tui/views/summary.d.ts

@@ -0,0 +1,5 @@
+import type { CodeGateReport } from "../../types/report.js";
+export interface SummaryViewProps {
+    report: CodeGateReport;
+}
+export declare function SummaryView(props: SummaryViewProps): import("react/jsx-runtime").JSX.Element;

package/dist/tui/views/summary.js

@@ -0,0 +1,16 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { Box, Text } from "ink";
+import { defaultTheme } from "../theme.js";
+function statusLabel(exitCode) {
+    if (exitCode === 0) {
+        return { text: "SAFE", color: defaultTheme.ok };
+    }
+    if (exitCode === 1) {
+        return { text: "WARNINGS", color: defaultTheme.warning };
+    }
+    return { text: "DANGEROUS", color: defaultTheme.danger };
+}
+export function SummaryView(props) {
+    const status = statusLabel(props.report.summary.exit_code);
+    return (_jsxs(Box, { flexDirection: "column", borderStyle: "round", paddingX: 1, children: [_jsx(Text, { color: defaultTheme.title, children: "Summary" }), _jsxs(Text, { children: ["Status: ", _jsx(Text, { color: status.color, children: status.text })] }), _jsxs(Text, { children: ["Total findings: ", props.report.summary.total] }), _jsxs(Text, { children: ["Fixable findings: ", props.report.summary.fixable] }), _jsxs(Text, { children: ["Suppressed findings: ", props.report.summary.suppressed] })] }));
+}

package/dist/types/discovery.d.ts

@@ -0,0 +1,12 @@
+export type DiscoveryFormat = "jsonc" | "json" | "toml" | "yaml" | "dotenv" | "text" | "markdown";
+export type DiscoveryScope = "project" | "user";
+export interface DiscoveryResult {
+    tool: string;
+    configPath: string;
+    absolutePath: string;
+    format: DiscoveryFormat;
+    scope: DiscoveryScope;
+    riskSurfaces: string[];
+    isSymlink: boolean;
+    symlinkTarget?: string;
+}

package/dist/types/discovery.js

@@ -0,0 +1 @@
+export {};

package/dist/types/finding.d.ts

@@ -0,0 +1,46 @@
+export declare const SEVERITIES: readonly ["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO"];
+export type Severity = (typeof SEVERITIES)[number];
+export declare const FINDING_CATEGORIES: readonly ["ENV_OVERRIDE", "COMMAND_EXEC", "CONSENT_BYPASS", "RULE_INJECTION", "IDE_SETTINGS", "SYMLINK_ESCAPE", "GIT_HOOK", "CONFIG_PRESENT", "PARSE_ERROR", "CONFIG_CHANGE", "NEW_SERVER", "TOXIC_FLOW"];
+export type FindingCategory = (typeof FINDING_CATEGORIES)[number];
+export type FindingLayer = "L1" | "L2" | "L3";
+export type FindingConfidence = "HIGH" | "MEDIUM" | "LOW";
+export interface FindingLocation {
+    field?: string;
+    line?: number;
+    column?: number;
+}
+export interface FindingSourceConfig {
+    file_path: string;
+    field?: string;
+}
+export interface AffectedLocation {
+    file_path: string;
+    location?: FindingLocation;
+}
+export interface Finding {
+    rule_id: string;
+    finding_id: string;
+    severity: Severity;
+    category: FindingCategory;
+    layer: FindingLayer;
+    file_path: string;
+    location: FindingLocation;
+    affected_locations?: AffectedLocation[] | null;
+    description: string;
+    affected_tools: string[];
+    cve?: string | null;
+    owasp: string[];
+    cwe: string;
+    confidence: FindingConfidence;
+    fixable: boolean;
+    remediation_actions: string[];
+    evidence?: string | null;
+    observed?: string[] | null;
+    inference?: string | null;
+    not_verified?: string[] | null;
+    incident_id?: string | null;
+    incident_title?: string | null;
+    incident_primary?: boolean | null;
+    source_config?: FindingSourceConfig | null;
+    suppressed: boolean;
+}

package/dist/types/finding.js

@@ -0,0 +1,15 @@
+export const SEVERITIES = ["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO"];
+export const FINDING_CATEGORIES = [
+    "ENV_OVERRIDE",
+    "COMMAND_EXEC",
+    "CONSENT_BYPASS",
+    "RULE_INJECTION",
+    "IDE_SETTINGS",
+    "SYMLINK_ESCAPE",
+    "GIT_HOOK",
+    "CONFIG_PRESENT",
+    "PARSE_ERROR",
+    "CONFIG_CHANGE",
+    "NEW_SERVER",
+    "TOXIC_FLOW",
+];

package/dist/types/report.d.ts

@@ -0,0 +1,25 @@
+import type { Finding } from "./finding.js";
+export interface ReportSummary {
+    total: number;
+    by_severity: Record<string, number>;
+    fixable: number;
+    suppressed: number;
+    exit_code: number;
+}
+export interface CodeGateReport {
+    version: string;
+    scan_target: string;
+    timestamp: string;
+    kb_version: string;
+    tools_detected: string[];
+    findings: Finding[];
+    summary: ReportSummary;
+}
+export interface EmptyReportOptions {
+    version: string;
+    scanTarget: string;
+    kbVersion: string;
+    toolsDetected: string[];
+    exitCode: number;
+}
+export declare function createEmptyReport(options: EmptyReportOptions): CodeGateReport;

package/dist/types/report.js

@@ -0,0 +1,23 @@
+export function createEmptyReport(options) {
+    return {
+        version: options.version,
+        scan_target: options.scanTarget,
+        timestamp: new Date().toISOString(),
+        kb_version: options.kbVersion,
+        tools_detected: options.toolsDetected,
+        findings: [],
+        summary: {
+            total: 0,
+            by_severity: {
+                CRITICAL: 0,
+                HIGH: 0,
+                MEDIUM: 0,
+                LOW: 0,
+                INFO: 0,
+            },
+            fixable: 0,
+            suppressed: 0,
+            exit_code: options.exitCode,
+        },
+    };
+}

package/dist/wrapper.d.ts

@@ -0,0 +1,35 @@
+import { type CodeGateConfig } from "./config.js";
+import { type ToolDetection } from "./layer1-discovery/tool-detector.js";
+import type { CodeGateReport } from "./types/report.js";
+export declare const RUN_TARGETS: readonly ["claude", "opencode", "codex", "cursor", "windsurf", "kiro"];
+export type RunTarget = (typeof RUN_TARGETS)[number];
+interface LaunchResult {
+    status: number | null;
+    error?: Error;
+}
+export interface RunCommandInput {
+    target: string;
+    cwd: string;
+    version: string;
+    config: CodeGateConfig;
+    force?: boolean;
+    onReport?: (report: CodeGateReport) => void;
+    requestWarningProceed?: (report: CodeGateReport) => Promise<boolean> | boolean;
+}
+interface ScanInput {
+    version: string;
+    scanTarget: string;
+    config: CodeGateConfig;
+}
+export interface WrapperDeps {
+    runScan: (input: ScanInput) => Promise<CodeGateReport>;
+    detectTools: () => ToolDetection[];
+    launchTool: (command: string, args: string[], cwd: string) => LaunchResult;
+    collectScanSurface: (scanTarget: string, config: CodeGateConfig) => Promise<string[]> | string[];
+    captureSnapshot: (paths: string[]) => Map<string, string>;
+    stdout: (message: string) => void;
+    stderr: (message: string) => void;
+    setExitCode: (code: number) => void;
+}
+export declare function executeWrapperRun(input: RunCommandInput, deps?: WrapperDeps): Promise<void>;
+export {};

package/dist/wrapper.js

@@ -0,0 +1,220 @@
+import { spawnSync } from "node:child_process";
+import { readFileSync, statSync } from "node:fs";
+import { createHash } from "node:crypto";
+import { homedir } from "node:os";
+import { isAbsolute, relative, resolve, sep } from "node:path";
+import { applyConfigPolicy } from "./config.js";
+import { evaluatePostScanGuard, evaluatePreLaunchGuard } from "./commands/run-policy.js";
+import { detectTools } from "./layer1-discovery/tool-detector.js";
+import { renderTerminalReport } from "./reporter/terminal.js";
+import { collectScanSurface, runScanEngine } from "./scan.js";
+export const RUN_TARGETS = ["claude", "opencode", "codex", "cursor", "windsurf", "kiro"];
+const TARGETS = {
+    claude: {
+        label: "claude",
+        detectorTool: "claude-code",
+        binary: "claude",
+        guiLike: false,
+    },
+    opencode: {
+        label: "opencode",
+        detectorTool: "opencode",
+        binary: "opencode",
+        guiLike: false,
+    },
+    codex: {
+        label: "codex",
+        detectorTool: "codex-cli",
+        binary: "codex",
+        guiLike: false,
+    },
+    cursor: {
+        label: "cursor",
+        detectorTool: "cursor",
+        binary: "cursor",
+        guiLike: true,
+    },
+    windsurf: {
+        label: "windsurf",
+        detectorTool: "windsurf",
+        binary: "windsurf",
+        guiLike: true,
+    },
+    kiro: {
+        label: "kiro",
+        detectorTool: "kiro",
+        binary: "kiro",
+        guiLike: true,
+    },
+};
+function isRunTarget(value) {
+    return RUN_TARGETS.includes(value);
+}
+function fingerprintFile(deps) {
+    const content = deps.readFile(deps.path);
+    const hash = createHash("sha256").update(content).digest("hex");
+    const mtime = deps.stat(deps.path);
+    return `${mtime}:${hash}`;
+}
+function defaultCaptureSnapshot(paths) {
+    const snapshot = new Map();
+    for (const filePath of paths) {
+        try {
+            const mode = statSync(filePath).mode;
+            if ((mode & 0o170000) !== 0o100000) {
+                continue;
+            }
+            snapshot.set(filePath, fingerprintFile({
+                path: filePath,
+                readFile: (path) => readFileSync(path, "utf8"),
+                stat: (path) => statSync(path).mtimeMs,
+            }));
+        }
+        catch {
+            continue;
+        }
+    }
+    return snapshot;
+}
+function snapshotsEqual(before, after) {
+    if (before.size !== after.size) {
+        return false;
+    }
+    for (const [key, value] of before.entries()) {
+        if (after.get(key) !== value) {
+            return false;
+        }
+    }
+    return true;
+}
+function expandHomePath(path) {
+    if (path === "~") {
+        return homedir();
+    }
+    if (path.startsWith(`~${sep}`) || path.startsWith("~/")) {
+        return resolve(homedir(), path.slice(2));
+    }
+    return path;
+}
+function isTrustedDirectory(cwd, trustedDirectories) {
+    const resolvedCwd = resolve(cwd);
+    return trustedDirectories.some((trustedPath) => {
+        const resolvedTrusted = resolve(expandHomePath(trustedPath));
+        const rel = relative(resolvedTrusted, resolvedCwd);
+        return rel === "" || (!rel.startsWith("..") && !isAbsolute(rel));
+    });
+}
+const defaultWrapperDeps = {
+    runScan: async (input) => runScanEngine({
+        version: input.version,
+        scanTarget: input.scanTarget,
+        config: input.config,
+        scanStatePath: input.config.scan_state_path,
+    }),
+    detectTools: () => detectTools(),
+    collectScanSurface: (scanTarget, config) => collectScanSurface(scanTarget, undefined, {
+        includeUserScope: config.scan_user_scope === true,
+    }),
+    launchTool: (command, args, cwd) => {
+        const result = spawnSync(command, args, { cwd, stdio: "inherit" });
+        return {
+            status: result.status,
+            error: result.error ?? undefined,
+        };
+    },
+    captureSnapshot: (paths) => defaultCaptureSnapshot(paths),
+    stdout: (message) => {
+        process.stdout.write(`${message}\n`);
+    },
+    stderr: (message) => {
+        process.stderr.write(`${message}\n`);
+    },
+    setExitCode: (code) => {
+        process.exitCode = code;
+    },
+};
+export async function executeWrapperRun(input, deps = defaultWrapperDeps) {
+    const normalizedTarget = input.target.trim().toLowerCase();
+    if (!isRunTarget(normalizedTarget)) {
+        deps.stderr(`Unknown tool: ${input.target}. Valid targets: ${RUN_TARGETS.join(", ")}.`);
+        deps.setExitCode(3);
+        return;
+    }
+    const target = TARGETS[normalizedTarget];
+    const detection = deps
+        .detectTools()
+        .find((tool) => tool.tool === target.detectorTool && tool.installed);
+    if (!detection) {
+        deps.stderr(`${target.label} is not installed.`);
+        deps.setExitCode(3);
+        return;
+    }
+    const resolvedCwd = resolve(input.cwd);
+    const preScanSurface = await deps.collectScanSurface(input.cwd, input.config);
+    const preScanSnapshot = deps.captureSnapshot(preScanSurface);
+    const rawReport = await deps.runScan({
+        version: input.version,
+        scanTarget: input.cwd,
+        config: input.config,
+    });
+    const report = applyConfigPolicy(rawReport, input.config);
+    if (input.onReport) {
+        input.onReport(report);
+    }
+    else {
+        deps.stdout(renderTerminalReport(report));
+    }
+    const scanSurface = await deps.collectScanSurface(input.cwd, input.config);
+    const scanSnapshot = deps.captureSnapshot(scanSurface);
+    const postScanDecision = evaluatePostScanGuard({
+        report,
+        scanSurfaceChanged: !snapshotsEqual(preScanSnapshot, scanSnapshot),
+        force: input.force === true,
+        autoProceedBelowThreshold: input.config.auto_proceed_below_threshold === true,
+        insideTrustedDirectory: isTrustedDirectory(resolvedCwd, input.config.trusted_directories),
+    });
+    if (postScanDecision.kind === "block") {
+        const writer = postScanDecision.stream === "stderr" ? deps.stderr : deps.stdout;
+        writer(postScanDecision.message);
+        deps.setExitCode(postScanDecision.exitCode);
+        return;
+    }
+    if (postScanDecision.kind === "prompt") {
+        if (!input.requestWarningProceed) {
+            deps.stderr("Warning findings detected. Re-run with --force to launch non-interactively or enable auto_proceed_below_threshold.");
+            deps.setExitCode(1);
+            return;
+        }
+        const approved = await input.requestWarningProceed(report);
+        if (!approved) {
+            deps.stdout("Launch cancelled because warning findings require confirmation.");
+            deps.setExitCode(1);
+            return;
+        }
+    }
+    const launchSurface = await deps.collectScanSurface(input.cwd, input.config);
+    const launchSnapshot = deps.captureSnapshot(launchSurface);
+    const preLaunchDecision = evaluatePreLaunchGuard({
+        launchSurfaceChanged: !snapshotsEqual(scanSnapshot, launchSnapshot),
+    });
+    if (preLaunchDecision.kind === "block") {
+        const writer = preLaunchDecision.stream === "stderr" ? deps.stderr : deps.stdout;
+        writer(preLaunchDecision.message);
+        deps.setExitCode(preLaunchDecision.exitCode);
+        return;
+    }
+    if (target.guiLike && detection.source !== "path") {
+        deps.stdout(`Scan complete. ${target.label} appears installed without a CLI launcher. Launch it manually.`);
+        deps.setExitCode(report.summary.exit_code);
+        return;
+    }
+    const args = target.guiLike ? ["."] : [];
+    const launched = deps.launchTool(target.binary, args, input.cwd);
+    if (launched.status !== 0 || launched.error) {
+        const reason = launched.error?.message ?? `exit status ${launched.status ?? "unknown"}`;
+        deps.stderr(`Failed to launch ${target.label}: ${reason}`);
+        deps.setExitCode(3);
+        return;
+    }
+    deps.setExitCode(report.summary.exit_code);
+}

package/package.json

@@ -0,0 +1,97 @@
+{
+  "name": "codegate-ai",
+  "version": "0.1.0",
+  "description": "Pre-flight security scanner for AI coding tool configurations.",
+  "license": "MIT",
+  "type": "module",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/jonathansantilli/codegate.git"
+  },
+  "homepage": "https://github.com/jonathansantilli/codegate#readme",
+  "bugs": {
+    "url": "https://github.com/jonathansantilli/codegate/issues"
+  },
+  "keywords": [
+    "ai-security",
+    "cli",
+    "code-scanning",
+    "codex",
+    "config-security",
+    "mcp",
+    "prompt-injection",
+    "security"
+  ],
+  "bin": {
+    "codegate": "dist/cli.js"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json && node scripts/copy-assets.mjs",
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix",
+    "test": "vitest run",
+    "test:perf": "vitest run tests/perf/scan-performance.test.ts",
+    "test:reliability": "vitest run tests/reliability/signal-handling.test.ts",
+    "typecheck": "tsc --noEmit -p tsconfig.json",
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "release": "semantic-release",
+    "release:dry-run": "semantic-release --dry-run --no-ci",
+    "prepare": "husky"
+  },
+  "engines": {
+    "node": "^20.19.0 || ^22.13.0 || >=24.0.0"
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
+  "lint-staged": {
+    "*.{js,mjs,cjs,ts,tsx}": [
+      "eslint --fix --max-warnings=0 --no-warn-ignored",
+      "prettier --write"
+    ],
+    "*.{json,md,yml,yaml}": [
+      "prettier --write"
+    ]
+  },
+  "dependencies": {
+    "ajv": "^8.18.0",
+    "commander": "^14.0.3",
+    "dotenv": "^17.3.1",
+    "ink": "^6.8.0",
+    "js-yaml": "^4.1.1",
+    "jsonc-parser": "^3.3.1",
+    "react": "^19.2.4",
+    "smol-toml": "^1.6.0",
+    "which": "^6.0.1"
+  },
+  "devDependencies": {
+    "@eslint/js": "^10.0.1",
+    "@semantic-release/changelog": "^6.0.3",
+    "@semantic-release/commit-analyzer": "^13.0.1",
+    "@semantic-release/git": "^10.0.1",
+    "@semantic-release/github": "^11.0.6",
+    "@semantic-release/npm": "^12.0.2",
+    "@semantic-release/release-notes-generator": "^14.1.0",
+    "@types/js-yaml": "^4.0.9",
+    "@types/node": "^25.3.5",
+    "@types/react": "^19.2.14",
+    "@types/which": "^3.0.4",
+    "eslint": "^10.0.2",
+    "globals": "^17.4.0",
+    "husky": "^9.1.7",
+    "ink-testing-library": "^4.0.0",
+    "lint-staged": "^16.3.2",
+    "prettier": "^3.8.1",
+    "semantic-release": "^24.2.9",
+    "typescript": "^5.9.3",
+    "typescript-eslint": "^8.56.1",
+    "vitest": "^4.0.18"
+  }
+}