codegate-ai 0.1.0

package/dist/commands/scan-command/helpers.js

@@ -0,0 +1,233 @@
+import { resolve } from "node:path";
+import { renderHtmlReport } from "../../reporter/html.js";
+import { renderJsonReport } from "../../reporter/json.js";
+import { renderMarkdownReport } from "../../reporter/markdown.js";
+import { renderSarifReport } from "../../reporter/sarif.js";
+import { renderTerminalReport } from "../../reporter/terminal.js";
+function isRecord(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+export function metadataSummary(metadata) {
+    let raw;
+    if (typeof metadata === "string") {
+        raw = metadata;
+    }
+    else {
+        try {
+            raw = JSON.stringify(metadata, null, 2);
+        }
+        catch {
+            raw = String(metadata);
+        }
+    }
+    const maxLength = 5000;
+    if (raw.length <= maxLength) {
+        return raw;
+    }
+    return `${raw.slice(0, maxLength)}\n...[truncated ${raw.length - maxLength} chars]`;
+}
+function parseJsonCandidate(value) {
+    return JSON.parse(value);
+}
+function unwrapMetaAgentEnvelope(parsed) {
+    if (!isRecord(parsed)) {
+        return parsed;
+    }
+    const result = parsed.result;
+    if (typeof result !== "string") {
+        return parsed;
+    }
+    const nested = parseMetaAgentOutput(result);
+    return nested ?? parsed;
+}
+export function parseMetaAgentOutput(stdout) {
+    const trimmed = stdout.trim();
+    if (trimmed.length === 0) {
+        return null;
+    }
+    try {
+        return unwrapMetaAgentEnvelope(parseJsonCandidate(trimmed));
+    }
+    catch {
+        // Fall back to extracting a JSON block from markdown or mixed CLI output.
+    }
+    const fenced = /```(?:json)?\s*([\s\S]*?)```/giu;
+    let match = fenced.exec(trimmed);
+    while (match) {
+        try {
+            return parseJsonCandidate(match[1] ?? "");
+        }
+        catch {
+            // Continue parsing additional fenced blocks.
+        }
+        match = fenced.exec(trimmed);
+    }
+    const candidates = [trimmed.match(/\{[\s\S]*\}/u)?.[0], trimmed.match(/\[[\s\S]*\]/u)?.[0]];
+    for (const candidate of candidates) {
+        if (!candidate) {
+            continue;
+        }
+        try {
+            return unwrapMetaAgentEnvelope(parseJsonCandidate(candidate));
+        }
+        catch {
+            // Continue trying fallback candidates.
+        }
+    }
+    return null;
+}
+export function withMetaAgentFinding(metadata, finding) {
+    const findingPayload = {
+        id: finding.id,
+        severity: finding.severity,
+        category: "PARSE_ERROR",
+        description: finding.description,
+        field: "layer3.meta_agent",
+        confidence: "HIGH",
+        evidence: finding.evidence,
+    };
+    if (!isRecord(metadata)) {
+        return { findings: [findingPayload] };
+    }
+    const existing = Array.isArray(metadata.findings) ? metadata.findings : [];
+    return {
+        ...metadata,
+        findings: [...existing, findingPayload],
+    };
+}
+export function mergeMetaAgentMetadata(baseMetadata, agentMetadata) {
+    if (!isRecord(baseMetadata)) {
+        return agentMetadata;
+    }
+    if (!isRecord(agentMetadata)) {
+        return baseMetadata;
+    }
+    const baseFindings = Array.isArray(baseMetadata.findings) ? baseMetadata.findings : [];
+    const agentFindings = Array.isArray(agentMetadata.findings) ? agentMetadata.findings : [];
+    return {
+        ...baseMetadata,
+        ...agentMetadata,
+        findings: [...baseFindings, ...agentFindings],
+    };
+}
+export function noEligibleDeepResourceNotes() {
+    return [
+        "Deep scan skipped: no eligible external resources were discovered.",
+        "Deep scan analyzes only remote MCP URLs (http/sse) and package-backed commands (npx/uvx/pipx).",
+        "Local stdio commands (for example `bash`) are still detected by Layer 2 but are never executed by deep scan.",
+    ];
+}
+export function parseLocalTextFindings(filePath, metadata) {
+    if (!isRecord(metadata) || !Array.isArray(metadata.findings)) {
+        return [];
+    }
+    return metadata.findings
+        .filter((item) => isRecord(item))
+        .map((item, index) => ({
+        rule_id: typeof item.id === "string" ? item.id : "layer3-local-text-analysis-finding",
+        finding_id: typeof item.id === "string" ? item.id : `L3-local-${filePath}-${index}`,
+        severity: item.severity === "CRITICAL" ||
+            item.severity === "HIGH" ||
+            item.severity === "MEDIUM" ||
+            item.severity === "LOW"
+            ? item.severity
+            : "INFO",
+        category: item.category === "ENV_OVERRIDE" ||
+            item.category === "COMMAND_EXEC" ||
+            item.category === "CONSENT_BYPASS" ||
+            item.category === "RULE_INJECTION" ||
+            item.category === "IDE_SETTINGS" ||
+            item.category === "SYMLINK_ESCAPE" ||
+            item.category === "GIT_HOOK" ||
+            item.category === "CONFIG_PRESENT" ||
+            item.category === "CONFIG_CHANGE" ||
+            item.category === "NEW_SERVER" ||
+            item.category === "TOXIC_FLOW"
+            ? item.category
+            : "PARSE_ERROR",
+        layer: "L3",
+        file_path: typeof item.file_path === "string" ? item.file_path : filePath,
+        location: { field: typeof item.field === "string" ? item.field : "content" },
+        description: typeof item.description === "string" ? item.description : "Local text analysis finding",
+        affected_tools: [],
+        cve: null,
+        owasp: Array.isArray(item.owasp)
+            ? item.owasp.filter((value) => typeof value === "string")
+            : [],
+        cwe: typeof item.cwe === "string" ? item.cwe : "CWE-20",
+        confidence: item.confidence === "HIGH" || item.confidence === "MEDIUM" ? item.confidence : "LOW",
+        evidence: typeof item.evidence === "string" ? item.evidence : null,
+        fixable: false,
+        remediation_actions: [],
+        suppressed: false,
+    }));
+}
+function remediationModeLabel(options) {
+    if (options.fixSafe) {
+        return "fix-safe";
+    }
+    if (options.remediate && options.dryRun) {
+        return "remediate (dry-run)";
+    }
+    if (options.remediate) {
+        return "remediate";
+    }
+    if (options.patch && options.dryRun) {
+        return "patch (dry-run)";
+    }
+    if (options.patch) {
+        return "patch";
+    }
+    if (options.dryRun) {
+        return "dry-run";
+    }
+    return "remediation";
+}
+export function remediationSummaryLines(input) {
+    const planned = typeof input.result.plannedCount === "number" ? input.result.plannedCount : 0;
+    const applied = typeof input.result.appliedCount === "number" ? input.result.appliedCount : 0;
+    const lines = [];
+    lines.push("Remediation summary:");
+    lines.push(`Mode: ${remediationModeLabel(input.options)}`);
+    lines.push(`Planned changes: ${planned}`);
+    lines.push(`Applied changes: ${applied}`);
+    lines.push(`Findings before remediation: ${input.before.summary.total}`);
+    lines.push(`Findings after remediation: ${input.result.report.summary.total}`);
+    if (input.options.dryRun) {
+        lines.push("No files were changed (dry-run).");
+    }
+    else if (applied === 0) {
+        lines.push("No files were changed.");
+    }
+    if (input.result.backupSessionId) {
+        const backupPath = resolve(input.scanTarget, ".codegate-backup", input.result.backupSessionId);
+        lines.push(`Backup session: ${backupPath}`);
+        lines.push(`Undo: codegate undo ${input.scanTarget}`);
+    }
+    const actionLines = input.result.appliedActions ?? input.result.plannedActions ?? [];
+    if (actionLines.length > 0) {
+        lines.push("Remediation actions:");
+        for (const action of actionLines.slice(0, 10)) {
+            lines.push(`- ${action.action} -> ${resolve(input.scanTarget, action.filePath)} (${action.findingId})`);
+        }
+        if (actionLines.length > 10) {
+            lines.push(`- ...and ${actionLines.length - 10} more`);
+        }
+    }
+    return lines;
+}
+export function renderByFormat(format, report, options) {
+    if (format === "json") {
+        return renderJsonReport(report);
+    }
+    if (format === "sarif") {
+        return renderSarifReport(report);
+    }
+    if (format === "markdown") {
+        return renderMarkdownReport(report);
+    }
+    if (format === "html") {
+        return renderHtmlReport(report);
+    }
+    return renderTerminalReport(report, { verbose: options?.verbose === true });
+}

package/dist/commands/scan-command.d.ts

@@ -0,0 +1,90 @@
+import { type CodeGateConfig, type OutputFormat } from "../config.js";
+import { type MetaAgentCommand, type MetaAgentTool } from "../layer3-dynamic/command-builder.js";
+import type { LocalTextAnalysisTarget } from "../layer3-dynamic/local-text-analysis.js";
+import type { ResourceFetchResult } from "../layer3-dynamic/resource-fetcher.js";
+import { type DeepScanResource } from "../pipeline.js";
+import type { ScanDiscoveryCandidate, ScanDiscoveryContext } from "../scan.js";
+import type { CodeGateReport } from "../types/report.js";
+import type { RemediationRunnerInput, RemediationRunnerResult } from "../layer4-remediation/remediation-runner.js";
+export interface ScanCommandOptions {
+    deep?: boolean;
+    remediate?: boolean;
+    fixSafe?: boolean;
+    dryRun?: boolean;
+    patch?: boolean;
+    noTui?: boolean;
+    format?: OutputFormat;
+    output?: string;
+    verbose?: boolean;
+    config?: string;
+    force?: boolean;
+    resetState?: boolean;
+    includeUserScope?: boolean;
+}
+export interface ScanRunnerInput {
+    version: string;
+    scanTarget: string;
+    config: CodeGateConfig;
+    flags: ScanCommandOptions;
+    discoveryContext?: ScanDiscoveryContext;
+}
+export interface DeepAgentOption {
+    id: "claude" | "codex" | "opencode";
+    label: string;
+    metaTool: MetaAgentTool;
+    binary: string;
+    detectedTool: string;
+}
+export interface MetaAgentCommandConsentContext {
+    resource?: DeepScanResource;
+    localFile?: LocalTextAnalysisTarget;
+    agent: DeepAgentOption;
+    command: MetaAgentCommand;
+}
+export interface MetaAgentCommandRunResult {
+    command: MetaAgentCommand;
+    code: number;
+    stdout: string;
+    stderr: string;
+}
+export interface RemediationConsentContext {
+    scanTarget: string;
+    totalFindings: number;
+    fixableFindings: number;
+    criticalFindings: number;
+}
+export interface ExecuteScanCommandInput {
+    version: string;
+    cwd: string;
+    scanTarget: string;
+    displayTarget?: string;
+    explicitCandidates?: ScanDiscoveryCandidate[];
+    config: CodeGateConfig;
+    options: ScanCommandOptions;
+}
+export interface ExecuteScanCommandDeps {
+    isTTY: () => boolean;
+    runScan: (input: ScanRunnerInput) => Promise<CodeGateReport>;
+    prepareScanDiscovery?: (scanTarget: string, config?: CodeGateConfig, options?: {
+        explicitCandidates?: ScanDiscoveryCandidate[];
+    }) => Promise<ScanDiscoveryContext> | ScanDiscoveryContext;
+    discoverDeepResources?: (scanTarget: string, config?: CodeGateConfig, discoveryContext?: ScanDiscoveryContext) => Promise<DeepScanResource[]> | DeepScanResource[];
+    discoverLocalTextTargets?: (scanTarget: string, config?: CodeGateConfig, discoveryContext?: ScanDiscoveryContext) => Promise<LocalTextAnalysisTarget[]> | LocalTextAnalysisTarget[];
+    requestDeepScanConsent?: (resource: DeepScanResource) => Promise<boolean> | boolean;
+    requestDeepAgentSelection?: (options: DeepAgentOption[]) => Promise<DeepAgentOption | null> | DeepAgentOption | null;
+    requestMetaAgentCommandConsent?: (context: MetaAgentCommandConsentContext) => Promise<boolean> | boolean;
+    runMetaAgentCommand?: (context: MetaAgentCommandConsentContext) => Promise<MetaAgentCommandRunResult> | MetaAgentCommandRunResult;
+    requestRemediationConsent?: (context: RemediationConsentContext) => Promise<boolean> | boolean;
+    executeDeepResource?: (resource: DeepScanResource) => Promise<ResourceFetchResult>;
+    runRemediation?: (input: RemediationRunnerInput) => Promise<RemediationRunnerResult> | RemediationRunnerResult;
+    stdout: (message: string) => void;
+    stderr: (message: string) => void;
+    writeFile: (path: string, content: string) => void;
+    setExitCode: (code: number) => void;
+    renderTui?: (props: {
+        view: "dashboard" | "summary";
+        report: CodeGateReport;
+        notices?: string[];
+    }) => void;
+}
+export declare function executeScanCommand(input: ExecuteScanCommandInput, deps: ExecuteScanCommandDeps): Promise<void>;